commit 1ca57049a6858a4efb2baa14cf31e4a874b9e4ec Author: Steven Murdoch Steven.Murdoch@cl.cam.ac.uk Date: Mon Nov 12 17:24:07 2012 +0000
Add discussion of bridges, censorship resistance, and pluggable transports --- todo | 2 +- tor-design-2012.tex | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletions(-)
diff --git a/todo b/todo index 3c4e430..ac44c7f 100644 --- a/todo +++ b/todo @@ -19,7 +19,7 @@ ITEMS: o Cell queueing and scheduling. . Integrate content from the second blog post [steven] o guard nodes - - Bridges, censorship resistance, and pluggable transports + o Bridges, censorship resistance, and pluggable transports - Changes and complexities in our path selection algorithms o stream isolation . Integrate content from the third blog post [steven] diff --git a/tor-design-2012.tex b/tor-design-2012.tex index d163891..2f48cbb 100644 --- a/tor-design-2012.tex +++ b/tor-design-2012.tex @@ -1953,6 +1953,45 @@ in source code form, encourage source audits, and frequently warn our users never to trust any software (even from us) that comes without source.\
+\emph{Block access to the network.} An attacker who controls a +user's Internet connection can block access to the Tor network +by blocking connections to the directory authorities and/or Tor +nodes. The IP addresses of the former are embedded in every copy +of Tor and the IP addresses of the latter can be easily found by +asking the directory authorities. Tor resists this attack by +having an additional type of OR -- the ``bridge node'' which is +distinguished from other ORs by not having its IP address +included in the directory. Operators of bridge nodes publish +their IP address to a single bridge authority which distributes +IP addresses to users in a way to resist an attacker being able +to enumerate (and thus block) them all. Currently bridge IP +addresses are made available on a website (where requests from +the same source IP address always get the same answer) and via +email (where requests from the same email address always get the +same answer). Bridge IP addresses are also distributed by +personal contacts. + +Bridges resist blocking access to the Tor network by IP address, +but do not prevent an attacker blocking by protocol fingerprint. +Tor's use of TLS is designed to provide some resistance against +this attack, through impersonating HTTPS, but due to efficiency +and simplicity considerations, it does not give perfect +protection. Steganographic transports (e.g. embedding data in +images) would improve resistance to fingerprinting but at a high +cost to effeciency so would not be appropriate for all users. +Also, users in some countries may need to disguise their traffic +as different protocols due to particular policies in place. +Therefore the protocol-fingerprinting-resistance part of Tor has +been left the responsibility of an external ``pluggable +transport'' program, which is responsible for obfuscating Tor's +TLS traffic at the OP end, and converting it back to TLS at the +bridge. Since the pluggable transport operates on TLS +ciphertext, which would otherwise be sent directly over the +network, it can't harm the security properties Tor provides, and +so Tor users can accept pluggable transports written by +third-parties, as long as they are confident the software is not +malicious. + \noindent{\large\bf Directory attacks}\ % This whole section is mostly wrong now. -NM % Needs a discussion of epistemic attacks. -NM