[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [RFC] Campaign »Buy/Sponsor a relay.«

StrangeCharm and I just had an interesting conversation about this. In short, while this suggestion would diversify trust it would also reduce the entropy of node selection. Not sure which is more important (I'd suspect the former, but could be argued). Cheers! -Damian

(09:30:17 PM) StrangeCharm: hey
(09:31:44 PM) Me: hey there
(09:31:57 PM) StrangeCharm: i just read your or-talk posting
(09:32:06 PM) Me: ah - thoughts?
(09:32:46 PM) StrangeCharm: if we have a small number of really large families, don't the potential anonymity sets get much smaller?
(09:33:29 PM) Me: we already have that situation (say, 500 with comcast, 300 with centurytell, 100 with dreamhost, etc)
(09:34:09 PM) Me: if we're worried about relay operators as the point of failure then yes, big networks like this are bad
(09:34:52 PM) StrangeCharm: you're suggesting that we already have these large 'families', over which end-to-end observation is possible, they're just not well marked?
(09:34:57 PM) StrangeCharm: (and therefore evaded)
(09:35:04 PM) Me: yup
(09:35:55 PM) StrangeCharm: i see.
(09:36:56 PM) StrangeCharm: i take it that you'd argue that we should protect against possible surveillance by known groups, whether or not we think it's occurring, even if it has some mild privacy deficits elsewhere?
(09:38:10 PM) Me: don't follow what you mean by mild privacy defects - but yes, tor's designed to distribute trust (ie, that no one in the network can hurt you) and distributing the trust some more is a good thing
(09:38:55 PM) StrangeCharm: well, if we recommend that nobody connects through multiple comcast nodes, the anonymits sets are smaller
(09:41:04 PM) Me: Hmmm, I see what you mean - yea, you might have a point (though I think we're we're more interested in diversified trust than greater entropy of node selection). We'll see what the tor devs think.
(09:41:30 PM) StrangeCharm: they tend to have good intuitions about these sorts of things
(09:41:36 PM) Me: Mind if I post this conversation on the thread? It brings up a good point.
(09:41:47 PM) StrangeCharm: go right ahead
(09:41:49 PM) Me: thx

On Wed, Mar 10, 2010 at 9:24 PM, Damian Johnson <atagar1@xxxxxxxxx> wrote:
While I understand your concern I disagree since we're already in this boat. I'm currently running a relay with Comcast as my ISP, and if I was going to run an exit I'd go back to the past list correspondence about low-hassle (tor friendly) hosting solutions. In both cases my ISP or hosting provider are seeing the traffic of hundreds of tor relays. They're the points of potential mass data aggregation we should be concerned about for this sort of large scale eavesdropping, not necessarily the relay's operators.

Hence, as long as any hosting entity properly set the 'Family' parameter, I think we should welcome this sort of hired-relay-operation. The proper countermeasure for this problem (imho) would be to grant relays an implied family based on geoip data and known ISP/hoster ip ranges (ie, don't make my circuit through multiple relays hosted by Comcast or, say, in the US).

Just my two cents... cheers! -Damian

On Wed, Mar 10, 2010 at 8:41 AM, Andrew Lewman <andrew@xxxxxxxxxxxxxx> wrote:
On Wed, 10 Mar 2010 11:26:00 +0100, Paul Menzel
<paulepanter@xxxxxxxxxxxxxxxxxxxxx> wrote:

:on the Tor start page [1] there is a message »Help us reach 5,000
: relays in 2010!«
:»I guess for people caring about privacy but not wanting/able to set up
:a server themselves can now be told, you can pay 90 pounds a month [for
:10 Mbps] and you will improve the connectivity of the Tor network.« [me
:on IRC]

We turn down funding when organizations ask us to run relays on their
behalf.  They have the money, but not the technical skills to run
relays.  The risk to The Tor Project, the non-profit entity, is that we
become a target as we could potentially see a large percentage of Tor
network traffic.  This traffic becomes interesting to law enforcement,
criminal organizations, marketers, and others wanting to enumerate Tor

This same concern is true for the funding organization.  A human rights
organization wanted to run either hundreds of relays or to see their
relay names as the top 10 relays in the Vidalia network map for a
year.  They almost looked at the network map/relay list as a branding
opportunity.  However, controlling relays with that much traffic, even
if the relays are dispersed around the world, would turn them into a
data collection target.

I encourage a peer to peer model of getting more relays.  Having
individuals run a relay and contribute the bandwidth that makes sense
seems to be a less risky model.  As the risk is spread out amongst
hundreds or thousands of individuals.  This is a more difficult path
than turning lots of money into relays.  Ultimately, I believe this
path is more sustainable in the long-term.  As committed relay
operators run them for their own reasons, not for a paycheck.

Active areas of research are around "everyone as a bridge" and "everyone
as a relay" if the tor client finds itself reachable by the outside
world.  Getting these options correct without screwing users is
difficult.  However, we are making progress.

In the meanwhile, we need more relays, in particular exit relays, to
help speed up Tor for everyone.

Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/