[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 188: Bridge Guards and other anti-enumeration defenses

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal 188: Bridge Guards and other anti-enumeration defenses
From: Robert Ransom <rransom.8774@xxxxxxxxx>
Date: Thu, 20 Oct 2011 18:00:20 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 20 Oct 2011 14:00:35 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=MN9n5Nys0OGbSfi/F7FgQlrfy/DgfeuxX8thpRmGpeQ=; b=sxDzwxpzPpuuoMUISlmiq+vnZkqCBix+TgirirnXtB8Vaiq3GqMa1HrCEc0vPdVYbo 2RRzxdAvFvC2k9DDgDSl64xOSl4MDyFq38I15Oo0nkLOsDEPlUbACa+wnemL8TODF0iO BNrFl9zOy0Ii2niZNTcpQXoDJsDI6JR/+IomE=
In-reply-to: <CAKDKvuxp+NathAA6fJdCEWYveKxjENmJ8v306P4Csc4X2ZhhoQ@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuxp+NathAA6fJdCEWYveKxjENmJ8v306P4Csc4X2ZhhoQ@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx

On 2011-10-20, Nick Mathewson <nickm@xxxxxxxxxxxxxx> wrote:

> 4.3. Separate bridge-guards and client-guards
>
>    In the design above, I specify that bridges should use the same
>    guard nodes for extending client circuits as they use for their own
>    circuits.  It's not immediately clear whether this is a good idea
>    or not.  Having separate sets would seem to make the two kinds of
>    circuits more easily distinguishable (even though we already assume
>    they are distinguishable).  Having different sets of guards would
>    also seem like a way to keep the nodes who guard our own traffic
>    from learning that we're a bridge... but another set of nodes will
>    learn that anyway, so it's not clear what we'd gain.

Any attacker who can extend circuits through a bridge can enumerate
the set of guard nodes which it routes its clients' circuits through.
A malicious middle relay can easily determine the set of entry guards
used by a hidden service, and over time, can determine the set of
entry guards used by a user with a long-term pseudonym.  If a bridge
uses the same set of entry guards for its clients' circuits as it does
for its own, users who operate bridges can be deanonymized quite
trivially.

Robert Ransom
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Proposal 188: Bridge Guards and other anti-enumeration defenses
  - From: Nick Mathewson

Prev by Author: Re: [tor-dev] Survey on Tor Trac usage and how you manage your tasks
Next by Author: Re: [tor-dev] Proposal 186: Multiple addresses for one OR or bridge
Previous by thread: Re: [tor-dev] Proposal 188: Bridge Guards and other anti-enumeration defenses
Next by thread: Re: [tor-dev] Proposal 186: Multiple addresses for one OR or bridge
Index(es):
- Author
- Thread