[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #13790 [Core Tor/Tor]: Refactor and add comments to new_route_len()
#13790: Refactor and add comments to new_route_len()
-------------------------------------------------+-------------------------
Reporter: dgoulet | Owner:
| catalyst
Type: enhancement | Status:
| needs_review
Priority: Low | Milestone: Tor:
| 0.3.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: 026-deferrable, | Actual Points:
tor-03-unspecified-201612 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by arma):
Replying to [comment:12 dgoulet]:
> I'm not aware of security risk of having long circuits like that but it
definitely is very bad on the user experience and overall load of the
network.
For posterity: there actually is a subtle anonymity risk that using a
longer-than-needed path can introduce. Let's say we have a choice between
using 3-hop circuits in Tor and using 6-hop circuits in Tor, and we have
an adversary who runs some relays and tries to learn what destinations
each user goes to.
For illustration, let's assume we don't use the entry guard design. The
adversary's strategy is "if any of your relays are on a circuit, but you
don't own the first and last relay on that circuit, then fail the circuit
(and hope they try building a new one)." In just a passive attack, an
adversary who runs 10% of the network has a .1*.1=0.01 chance of being
able to learn your destinations, but with this strategy, it's better than
.01 -- and the longer the path length, the more likely the adversary is to
be in a position to tear down circuits he can't beat, so the bigger the
success rate gets.
See https://www.freehaven.net/anonbib/#ccs07-doa for details.
Now, the entry guard design complicates the attack, because no matter how
many times the attacker tears down the circuit, the user isn't going to
budge from their guard. Maybe entry guards resolve the attack entirely,
because either the attacker doesn't own the guard and they can't win, or
they do own the guard, and then they're on the circuit no matter how many
hops the circuit has?
Actually, maybe using *one* entry guard resolves the attack, because if
you have say three guards, then the attack still works, it's just much
more limited? (If the attacker controls some but not all of your guards,
then he can do the attack to shift your circuits more onto the guards he
controls.)
In any case, there's your potential anonymity implication to longer
circuits. So it isn't *just* higher latency for users and more load on the
network that makes us want to avoid them.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13790#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs