Hi Jeremy,
On 28 Jun 2019, at 06:35, Jeremy Rand jeremyrand@airmail.cc wrote:
- Per-peer stream isolation prevents a single exit relay from feeding
the user a chain that's not the longest chain, so it's desirable from a Bitcoin security point of view.
Tor itself uses 3 directory guards to make sure that one guard can't feed it bad data.
If you use one exit, and it happens to be malicious, all your peers are accessed via that bad exit.
But if you use 8 exits, then it's very unlikely that all of them will be malicious in exactly the same way. But it makes it 8x more likely that any one of your exits will be malicious.
It's also worth using multiple circuits for redundancy, so a single exit can't deny service all 8 of your peers. (As noted on the pull request.)
So it's a tradeoff, based on the protocol. For example: * If you were mainly worried about exploits, then you'd want one exit. * If you are worried about short chains or denial of service, then you'd want many exits.
If you don't know which one to choose, follow Tor Browser, which uses many exits.
(The right way to deal with exploits is to fix those bugs, and use coding practices that make them less likely.)
- Per-peer stream isolation would mean more potential for one of the
circuits being deanonymizable, via traffic analysis etc. It's not clear to me whether this amount of increased circuits is harmful, or how it compares to other common usage of Tor such as Tor Browser (which uses first-party stream isolation, so a user with a lot of tabs open may very well have 8 or more circuits in use at once).
It's not quite that simple:
If you send traffic from all 8 peers over one circuit, then a pattern might be visible on you client to guard, and exit to internet connections. That pattern makes correlation easier.
Using 8 circuits splits the traffic pattern across 8 different exit locations on the internet, so correlation is harder.
I'd follow Tor Browser on this one, too.
- Per-peer stream isolation puts more load on the Tor network. It's
not clear to me whether this increased load (8 circuits instead of 1) is so much that it's harmful.
Every Tor client tries to keep 6+ pre-emptive circuits open, so that new requests have lower latency. So you're really looking at doubling your circuit load, not multiplying it by 8.
Once the circuits are built, there's not much extra load splitting the streams across 8 circuits, because it's already split into streams and cells within the protocol.
And you're right, Tor Browser can use lots more than 8 circuits, so I wouldn't worry about it.
Do you know how much load Bitcoin places on the Tor network?
If it's a lot, one good answer is to encourage users to run relays, or to donate to organisations that run relays. (Or donate to Tor, so we can make the network more efficient.)
T