[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13790 [Core Tor/Tor]: Refactor and add comments to new_route_len()



#13790: Refactor and add comments to new_route_len()
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:
                                                 |  catalyst
     Type:  enhancement                          |         Status:
                                                 |  needs_review
 Priority:  Low                                  |      Milestone:  Tor:
                                                 |  0.3.1.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  026-deferrable,                      |  Actual Points:
  tor-03-unspecified-201612                      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arma):

 Replying to [comment:12 dgoulet]:
 > I'm not aware of security risk of having long circuits like that but it
 definitely is very bad on the user experience and overall load of the
 network.

 For posterity: there actually is a subtle anonymity risk that using a
 longer-than-needed path can introduce. Let's say we have a choice between
 using 3-hop circuits in Tor and using 6-hop circuits in Tor, and we have
 an adversary who runs some relays and tries to learn what destinations
 each user goes to.

 For illustration, let's assume we don't use the entry guard design. The
 adversary's strategy is "if any of your relays are on a circuit, but you
 don't own the first and last relay on that circuit, then fail the circuit
 (and hope they try building a new one)." In just a passive attack, an
 adversary who runs 10% of the network has a .1*.1=0.01 chance of being
 able to learn your destinations, but with this strategy, it's better than
 .01 -- and the longer the path length, the more likely the adversary is to
 be in a position to tear down circuits he can't beat, so the bigger the
 success rate gets.

 See https://www.freehaven.net/anonbib/#ccs07-doa for details.

 Now, the entry guard design complicates the attack, because no matter how
 many times the attacker tears down the circuit, the user isn't going to
 budge from their guard. Maybe entry guards resolve the attack entirely,
 because either the attacker doesn't own the guard and they can't win, or
 they do own the guard, and then they're on the circuit no matter how many
 hops the circuit has?

 Actually, maybe using *one* entry guard resolves the attack, because if
 you have say three guards, then the attack still works, it's just much
 more limited? (If the attacker controls some but not all of your guards,
 then he can do the attack to shift your circuits more onto the guards he
 controls.)

 In any case, there's your potential anonymity implication to longer
 circuits. So it isn't *just* higher latency for users and more load on the
 network that makes us want to avoid them.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13790#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs