On Fri, 17 Mar 2017 18:12:11 +0000, Jaskaran Singh wrote: ...
Currently, guard relays and bridges maintains a list of IP addresses of the devices that connect to it for various reasons such as for use by the bridge to check which country has them blocked. This is dangerous because if any of these tor instances get compromised, clients will be de-anonymized.
As an adversary, I wouldn't take down the bridge but either monitor the traffic to it ($country can also do this on its border gateways), or modify it to tell me the connecting IP addresses.
End users tend to be on dynamic IP address, so stored IP addresses aren't of much worth when you don't know when they were used; that is a reason why $adversary might be more interested in snooping than in compromising the bridge.
(Although I don't know how prevalent changing IP addresses still are when you're online permanently. E.g. here in germany telekom changes to all-ip, and there no longer disconnects after 24h, and thus you don't change IPs every day.)
...
present in the set. The feature of this bitmap is that collisions could happen. And this collision creates deniability. When collisions happen,
The problem is that for the accounting purposes you don't want (too many) collisions, and also that state agencies don't necessarily care for plausible deniability - if an IP address is found by enumeration and probing the bloom filter they might still decide to put that user on closer watch. (I've heard that a lot of the traditional telephone tapping isn't used as evidence in court but produces leads to where to investigate next.)
On the other hand side you can indeed keep the filter rather small because one bridge doesn't get that many collisions, and you don't need to make it anywhere as big as to avoid collision with 2^32 entries. Could also be dynamically sized depending on the number of clients seen - you need aging anyway, so the next table can have a different size.
You can also go and poison the bloom filter with some random addresses, even a lot, actually. If we're talking of 2000 users you can easily throw in another 2000 random addresses without decreasing the precision of the statistics much - only on a size comparable to collisions in the bloom filter itself.
- Andreas