[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to find trust nodes?

George writes:

> But ultimately, Tor's topography mitigates against one of the three
> nodes in your circuit being compromised. If the first hop is
> compromised, then they only know who you are, but not where your
> destination is. If the last hop is compromised, they only know where
> you're going, but not who you are (unless your providing clear text of
> personally identifying information).

A challenge is that there are threat models in which a considerable number
of Tor users may be exposed, at least for some of their circuits.

* If a single adversary runs several fast nodes that are popular and whose
  relationship to each other is undisclosed, a pretty high amount of traffic
  may select that adversary's nodes as entry and exit nodes for the same
  circuit.  The guard node design gives a relatively low probability of this
  happening to any individual user with respect to any individual
  adversary in any specific time period, but doesn't guarantee that it
  would be a particularly rare event for Tor users as a whole.

* If adversaries cooperate, they can get benefits equivalent to running many
  nodes even though each one only runs a few.

* If an adversary can monitor network activity and see both entry and exit
  points, for a given circuit, it can perform correlations even though
  it doesn't operate any nodes.  Or, an adversary that can monitor some
  networks can increase its chance of getting visibility of both ends of
  a connection by also operating some nodes, since some users whose entry
  or exit activity the adversary otherwise wouldn't have been able to
  monitor from network surveillance alone may sometimes randomly choose to
  use that adversary's nodes in one of these positions.

* An adversary that can monitor some kind of public or private online
  activity can perform coarse-grained timing correlation attacks between
  its own entry nodes (or parts of the Internet where it can see Tor
  node entry) and the online activity that it can see.  For example, if a
  user regularly uses Tor to participate in some kind of public forum,
  public chat, etc., the adversary could gather data about how entry
  traffic that it can see does or doesn't correlate with that participation.
  Or if an adversary can obtain logs about the use of a particular online
  service, even though those logs aren't available to the general public,
  it can also correlate that statistically with entry data that it has
  available for some other reason.

The "good news" is that a given Tor user is probably not very likely to
be vulnerable to many of these attacks from many adversaries when using
Tor infrequently or for brief periods.  Yet many of these attacks would
work at least some of the time against a pretty considerable amount of
Tor traffic.

I agree with your point that just having more random people run nodes
helps decrease the probability of success of several of these attacks.

Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to