[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Stricter NEWNYM?

>> cause truly TCP new connections to use a new exit.

Oops, there's word swap in there :)

>> I've commonly seen exits reused within a certain period
>> of time after issuing a NEWNYM.
>> For the users that have such a need, it would be nice if Tor could
>> optionally keep a historical bucket of configurable entry length
>> (whether based upon time and/or number of prior exits used).
>> Such that any such exits would not be reused so long as
>> they remained in the bucket according to its expiry rules.
> This will harm user anonymity.  Circuit path selection must be
> independent of the circuits and exit nodes which a client has
> previously used.

Again, oops. I did mean to remove the instances of the 'path' word
from the above, as I can't see now where it would serve any purpose
to bucket paths. Only the exit bucketing part was what I wanted
to say. I've modified the quote as such. I don't presume your note
applies to the bucketing of only exits? If so, how? As I don't see it.

For example, I commonly do network testing. I want to hit NEWNYM
and never see that same exit over some number of future new TCP
connections. Since some of my destination sets [say port 80] have
the following truth: usable exit count >= number of destinations,
that would work great for me.

>> And as an aside, to the extent it is not already done, different
>> ports on the same host should not necessarily be aggregated over
>> the same (exits). I'd wager that they should not, so as to appear
>> separate to the observer. Mostly for efficiency. Think of
>> checking/writing multiple email accounts on the same provider...
>> via IMAP/POP/HTTP/SMTP...  without exposing too much relatedness
>> due to using the same exit for all at once.
> See proposal 171 (and its surrounding discussion).  Separating streams
> by destination port will not help separate users' web-browsing
> activities from their Internet mail connections.

I again corrected the path word above to exits.

There was an excellent proposals summary posted to dev recently, so
I'll head off to read that before replying further to this part. Yet I will
leave an example. Say a user has multiple email accounts at a provider
using  the same reasonably common GECOS field, 'Bob'. Or the user
may be messaging the same remote destinations from multiple unique
Now, in order to provide an extra degree of separation, the user can:
1) use only http, and have to newnym between serial use of accounts.
2) use http from one exit, https from another, smtp/pop from one,
submission/imap from another. Four accounts, four exits, in parallel.
All to potentially the same single mail provider's IP (fronted by load
balancers, whatever). Excepting human factors, and observing source
addresses, the provider would see the usage as different users. That
separation is a good thing in the anonymity space.

[let's ignore for now that newnym buckets haven't yet been implemented
so as to enable that reliably without explicit exit mapping... the same exit
may recur at some unpredictable time in the future, afaik]
tor-talk mailing list