Self hosting bridge at home - de-anonymization risk?
is there any documentation on self-hosting a bridge at home and using it for your own connections? I am trying to understand why this isn't a recommended setup, would it lead to de-anonymization? Why/how much? your traffic blends with other users directly via the same connection other users use your bridge on a regular basis together with you and your hidden services ISP monitoring of your exact connection times are made harder (not sure how much exactly) I don't understand why hosting a bridge outside of your geographic location is necessary? is it a problem that the first hop is from your own IP address if the other two hops are external? were there any studies or similar questions asked before? I couldn't find anything I can't find help anywhere, so would appreciate any advice
On 24/03/2025 16:48, bjewrn2a--- via tor-relays wrote:
is there any documentation on self-hosting a bridge at home and using it for your own connections? I am trying to understand why this isn't a recommended setup, would it lead to de-anonymization? Why/how much? your traffic blends with other users directly via the same connection other users use your bridge on a regular basis together with you and your hidden services ISP monitoring of your exact connection times are made harder (not sure how much exactly) I don't understand why hosting a bridge outside of your geographic location is necessary?
is it a problem that the first hop is from your own IP address if the other two hops are external? were there any studies or similar questions asked before? I couldn't find anything
I can't find help anywhere, so would appreciate any advice Tersely: CWE-656.⁽¹⁾
If you have nothing to hide about your security, you have nothing to fear. But in the proposed setup you have something to hide, and therefore to fear about. The approach relies entirely on the adversary not being aware, how things are set up. With this reasoning we could simplify it even further. Set up your own exit node, connect directly from it, skipping the entire Tor. As long as the adversary doesn’t know, you blend into traffic and can’t tell the difference. But this isn’t how security works and security through obscurity is a frequent anti-pattern. Tor’s security is rooted firmly in maths and network’s design, that are completely open. Whatever the adversary knows about them, it’s of little help. The guarantees of high cost to circumvent the protection still holds. With the proposed setup you throw away those guarantees. Replace them with little more than hope. Yes, it does provide some protection. But this is the same kind of protection as hiding keys under the doormat. Cheers, mpan ____ ⁽¹⁾ https://cwe.mitre.org/data/definitions/656.html
bjewrn2a--- via tor-relays wrote:
is there any documentation on self-hosting a bridge at home and using it for your own connections? I am trying to understand why this isn't a recommended setup, would it lead to de-anonymization? Why/how much? your traffic blends with other users directly via the same connection other users use your bridge on a regular basis together with you and your hidden services ISP monitoring of your exact connection times are made harder (not sure how much exactly) I don't understand why hosting a bridge outside of your geographic location is necessary?
is it a problem that the first hop is from your own IP address if the other two hops are external? were there any studies or similar questions asked before? I couldn't find anything
I can't find help anywhere, so would appreciate any advice
Why do you think this is a good setup, what do you think it provides in addition to the default usage? Example: a significant number of attacks (because servers in the Tor network by design are not blindly trusted) are reduced by making the first hop in the Tor network (Guard, or bridge in case bridges are used) static for a certain period of time. Tor tries as hard as possible not to change this entry point randomly every time, for good reasons. If you use a bridge hosted on the same machine, or same LAN, it will connect to the Tor network just fine, but every circuit will select hops number #2 and #3 (the exit) random. After N circuits, there is a 100% probability you might run into a malicious hop #2 or hop #3 or even both at the same time, discovering "your entry point" - the IP address where you connect from. N might not be a small number of course, but it's VERY scary and huge problem anyway, so it's something Tor tries really really hard to protect you from. If you make this bridge public (other Tor users use it too), it provides better protection and fingerprinting for hops #2 and #3, but your ISP will then know which Tor traffic is yours and which is relayed for other Tor users, because it will simply measure the bandwidth in both directions (in and out). The studies are everywhere, and it's one of the most important attacks that were tested. Search why we switched to static Guards (entry points). You are better of in using a bridge operated by you but on a different network, maybe different geographic area, to make it harder for an observer (e.g. to have to watch multiple different places at once). And I'm not sure if there are any clear studies about how much more likely de-anonymization is if you use a bridge that is not public (PublishServerDescriptor 0 in torrc) and only you use it, but in my humble opinion which you should not take as advice but rather verify for yourself, is to use a bridge that is shared with other users.
Thank you mpan, I agree, is the problem that I am using: 1. the same entry node for every circuit? 2. entry node can be traced to me directly, because it's hosted in my geographic location (at home)? I agree that blending your traffic with other users is security by obscurity and it's not worth the cost of weakening tor network model but what if you used tor normally, not through your own bridge, but through "regular" randomly chosen 3-hop circuits and at the same time run a tor relay (entry/middle) that regularly hosts tor traffic of other users is it incorrect to assume that this would add some level obscurity that would benefit your anonymity? This wouldn't require weakening the tor circuit model anymore
s7r
Why do you think this is a good setup, what do you think it provides in addition to the default usage?
I thought this will let you blend in your traffic and hide it from your ISP, however as you mentioned later this may be not worth the risk (if it's of any benefit, at all). Also a vanguards guide mentioned that you could reuse tcp connections of other users: https://github.com/mikeperry-tor/vanguards/blob/master/README_SECURITY.md#th...
If you use a bridge hosted on the same machine, or same LAN, it will connect to the Tor network just fine, but every circuit will select hops number #2 and #3 (the exit) random. After N circuits, there is a 100% probability you might run into a malicious hop #2 or hop #3 or even both at the same time, discovering "your entry point" (...) it's something Tor tries really really hard to protect you from.
That is brilliant, yes, I thought there would be something implicit in the way Tor circuits are designed that wouldn't work with this setup. This now makes perfect sense. That is conclusive to me.
If you make this bridge public (other Tor users use it too), it provides better protection and fingerprinting for hops #2 and #3, but your ISP will then know which Tor traffic is yours and which is relayed for other Tor users, because it will simply measure the bandwidth in both directions (in and out).
You don't think that blending your traffic with other users "at the source address" (for example by running a middle/entry node) adds at least some layer of obscurity (protection from ISP)? I am wondering if it wouldn't be an argument to convince all tor users to also run their own relays to increase protection of their own anonymity against their ISPs? This blending was hinted at for hidden services at least in the guide to vanguards I linked above: https://github.com/mikeperry-tor/vanguards/blob/master/README_SECURITY.md#th...
The studies are everywhere, and it's one of the most important attacks that were tested. Search why we switched to static Guards (entry points).
Yes, I saw it mentioned a few times that entry nodes don't change as often as other two hops to minimize chances of getting a malicious one, but I didn't make the association in my setup, which you made now - thanks again.
You are better of in using a bridge operated by you but on a different network, maybe different geographic area, to make it harder for an observer (e.g. to have to watch multiple different places at once).
Yes, that was my conclusion as well and likely not just one bridge but a fleet of bridges from trusted hosting companies. That's much more work.
use a bridge that is shared with other users
completely agree
bjewrn2a--- via tor-relays wrote on 3/25/25 16:23:
Thank you mpan, I agree, is the problem that I am using: 1. the same entry node for every circuit? 2. entry node can be traced to me directly, because it's hosted in my geographic location (at home)?
I agree that blending your traffic with other users is security by obscurity and it's not worth the cost of weakening tor network model but what if you used tor normally, not through your own bridge, but through "regular" randomly chosen 3-hop circuits and at the same time run a tor relay (entry/middle) that regularly hosts tor traffic of other users is it incorrect to assume that this would add some level obscurity that would benefit your anonymity? This wouldn't require weakening the tor circuit model anymore That's pretty much my situation. I have a non-exit node at home, and I use sometimes Tor normally, for example with Torbrowser, who doesn't know it's sitting on a tor node and connects with the usual 3 hops.
Should anyone look at the traffic at my ip, he would see a constant flow towards other Tor nodes, and wouldn't know when it's also me browsing. I really don't see any danger in this. I believe it would be worse if my personal Tor traffic popped up at specific moments among normal traffic. An observer would at least know when I'm Tor-ing. I don't see how this scenario would be better. Am I wrong? My two cents, bye, Marco
Thank you mpan, I agree, is the problem that I am using: 1. the same entry node for every circuit? Yes
2. entry node can be traced to me directly, because it's hosted in my geographic location (at home)? Yes up until word “because.” Geographic location is irrelevant or only tangentially relevant. The entry node itself is the identity.
but what if you used tor normally, not through your own bridge, but through "regular" randomly chosen 3-hop circuits and at the same time run a tor relay (entry/middle) that regularly hosts tor traffic of other users is it incorrect to assume that this would add some level obscurity that would benefit your anonymity? This wouldn't require weakening the tor circuit model anymore Yes, this is correct. The more Tor traffic goes through the machine that identifies you, the more confused an adversary is. It also makes naïve correlation attacks impossible,⁽¹⁾ and increases cost of more advanced ones.
⁽¹⁾ Ones incapable of dealing with noisy datapoints.
I have a non-exit node at home, and (...) I use Torbrowser that connects with the usual 3 hops.
Thanks Marco, yes, that's what I'm hoping to setup now, as well, however I haven't seen this setup recommended on the official torproject websites. If you are aware of any published studies or anything mentioned at conferences, please let me know. Tor network is a complex subject and although it makes sense to me it doesn't mean that a professional would take the same approach.
but what if you used tor normally, not through your own bridge, but through "regular" randomly chosen 3-hop circuits and at the same time run a tor relay (entry/middle)
This wouldn't require weakening the tor circuit model anymore. Yes, this is correct. The more Tor traffic goes through the machine that identifies you, the more confused an adversary is. It also makes naïve correlation attacks impossible,⁽¹⁾ and increases cost of more advanced ones.
That is great news mpan, thank you. That would incentivize users to also become relays - why isn't it recommended more often? This is the first time I ever hear about it and it sounds like a powerful idea. Normally I only see tor relay operators claim that they run tor relays purely altruistically: https://www.reddit.com/r/TOR/comments/6znjkg/why_would_anyone_setup_a_tor_re... Are you aware of any articles from torproject or research papers confirming that hosting tor relay at your own IP does in fact help your own traffic blend in? I've looked through all tor proposals (https://spec.torproject.org/proposals) and many research papers (https://www.freehaven.net) and couldn't find any mentions of this?
bjewrn2a--- via tor-relays wrote on 3/26/25 22:48:
I have a non-exit node at home, and (...) I use Torbrowser that connects with the usual 3 hops.
Thanks Marco, yes, that's what I'm hoping to setup now, as well, however I haven't seen this setup recommended on the official torproject websites. If you are aware of any published studies or anything mentioned at conferences, please let me know. Tor network is a complex subject and although it makes sense to me it doesn't mean that a professional would take the same approach. Sorry bjewrn2a,
I'm not aware of any paper about my approach. It just makes sense to me, and apparently to other people in this thread. Hopefully somebody from the Tor Olympus will tackle the subject one day. Bye, Marco
On 3/26/25 11:56, bjewrn2a--- via tor-relays wrote:
That would incentivize users to also become relays - why isn't it recommended more often?
All Tor relays -- even non-exit relays -- are in a public list. Many sites and services block access to all traffic coming from a Tor relay IP address. Either they don't understand how Tor works or (more likely, in my experience) they're just hostile to Tor. If you host a relay on your home IP, you'll likely find that you are blocked from streaming services and other web sites (Cloudflare, for one, facilitates this and by some reports they control about 30% of web traffic).
but what if you used tor normally, not through your own bridge, but through "regular" randomly chosen 3-hop circuits and at the same time run a tor relay (entry/middle)
This wouldn't require weakening the tor circuit model anymore. Yes, this is correct. The more Tor traffic goes through the machine that identifies you, the more confused an adversary is. It also makes naïve correlation attacks impossible,⁽¹⁾ and increases cost of more advanced ones.
That is great news mpan, thank you. That would incentivize users to also become relays - why isn't it recommended more often? This is the first time I ever hear about it and it sounds like a powerful idea. Normally I only see tor relay operators claim that they run tor relays purely altruistically: https://www.reddit.com/r/TOR/comments/6znjkg/why_would_anyone_setup_a_tor_re... To know why Tor Project itself doesn’t speak on this matter, you’d need to wait for a reply from somebody from the project.
I may speculate, that the two topics are orthogonal: running a relay and using Tor. They don’t interfere with each other. In your original question they didn’t either. The problem was not running a relay and using Tor, but using Tor with the number of hops effectively reduced. It would also be a poor advice, if directed towards a person wishing to only connect to Tor. Running a relay from home isn’t without downsides. Both for the operator (bandwidth use, facing hostility) and the network itself (completely inexperienced person is an easier attack target).
Are you aware of any articles from torproject or research papers confirming that hosting tor relay at your own IP does in fact help your own traffic blend in? I've looked through all tor proposals (https://spec.torproject.org/proposals) and many research papers (https://www.freehaven.net) and couldn't find any mentions of this? Specifically for Tor? No. For exactly the same reason I can’t point you to any research that confirms, that downloading 500 kB/s and 200 kB/s over Tor requires 700 kB/s. It’s a trivial consequence of basic knowledge for the given field. In this case probabilistics, flavored with practicality of correlation attacks and with signal processing basics (none of this in Tor specifically).
I would worry about my IP address at home ending up on a blacklist, even with a bridge. Google and Microsoft have hidden blacklists with secret criteria to be listed there, and to get off them once listed is a long-winded pain. You only know there is an issue when emails won't arrive at gmail or Microsoft managed accounts and some web pages won't load. WebTunnel https bridges seems safe and so far and my three had not ended up on blacklists on my VPS servers. I think because they are still a minority sport and have not been found by the blacklisting pedants. Gerry -----Original Message----- From: Marco Predicatori via tor-relays <tor-relays@lists.torproject.org> Sent: 28 March 2025 08:02 To: tor-relays@lists.torproject.org Subject: [tor-relays] Re: Self hosting bridge at home - de-anonymization risk? bjewrn2a--- via tor-relays wrote on 3/26/25 22:48:
I have a non-exit node at home, and (...) I use Torbrowser that connects with the usual 3 hops.
Thanks Marco, yes, that's what I'm hoping to setup now, as well, however I haven't seen this setup recommended on the official torproject websites. If you are aware of any published studies or anything mentioned at conferences, please let me know. Tor network is a complex subject and although it makes sense to me it doesn't mean that a professional would take the same approach. Sorry bjewrn2a,
I'm not aware of any paper about my approach. It just makes sense to me, and apparently to other people in this thread. Hopefully somebody from the Tor Olympus will tackle the subject one day. Bye, Marco _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
The more Tor traffic goes through the machine that identifies you, the more confused an adversary is. It also makes naïve correlation attacks impossible,⁽¹⁾ and increases cost of more advanced ones.
To know why Tor Project itself doesn’t speak on this matter, you’d need to wait for a reply from somebody from the project.
I may speculate, that the two topics are orthogonal: running a relay and using Tor. (...) The problem was not running a relay and using Tor, but using Tor with the number of hops effectively reduced.
True, I believe the original question is solved now - as you pointed out my proposal of self-hosting and using a guard node from your public IP would put it at a risk of de-anonymization to various attacks that tor network and many new proposals tries hard to avoid (vanguards in arti is a great example). You rightly mentioned that guard node is intentionally set for longer periods to make it less likely for a malicious relay to be chosen. There were two aspects to this question. 1. whether it's a de-anonymization risk, which you solved. 2. whether hosting tor traffic of other users around your public IP will help you blend in and strengthen your anonymity. While it makes sense to me and I believe to other users as well if performed via a separate relay, but I would prefer to find more third party academic source, ideally from torproject itself to confirm that.
I would worry about my IP address at home ending up on a blacklist, even with a bridge. Google and Microsoft have hidden blacklists with secret criteria to be listed there, and to get off them once listed is a long-winded pain. You only know there is an issue when emails won't arrive at gmail or Microsoft managed accounts and some web pages won't load.
WebTunnel https bridges seems safe and so far and my three had not ended up on blacklists on my VPS servers. I think because they are still a minority sport and have not been found by the blacklisting pedants.
Thanks Gerry, I will bear that in mind. My ISP contract provides only a dynamic IP, so worst case scenario I will have to wait a few weeks for it to change (or get my ISP contract rescinded 😅). Want to try it myself and see how hard exactly my life will become as a tor operator.
I would worry about my IP address at home ending up on a blacklist, even with a bridge. Google and Microsoft have hidden blacklists with secret criteria to be listed there, and to get off them once listed is a long-winded pain. You only know there is an issue when emails won't arrive at gmail or Microsoft managed accounts and some web pages won't load. If anything, Alphabet and Microsoft are among the last ones to make a fuss about running a relay. Whatever I think of both companies, nowadays their security teams are top notch experts. They actions aren’t rooted in hearsay and ignorance. In 10 years, including an early experiment with a limited exit relay, I experienced zero issues.
In my experience the biggest offenders are: • Governmential agencies and companies, with their networks run by absolute ignorants. Hardly capable of using a computer, shielded from the outside influence by procedures, protected from responsibility by operating within a political environment. • Small entities, both commercial and not, which are ignorant or lack resources to remedy the situation. They hear word “Tor,” they think “evil,” they blackhole packets, period. There isn’t even a way to contact them. • Companies offering security-as-a-product, or rather their customers. Customers blindly delegate tasks to the company, usually waiving their agency in that matter. The solution suppliers primarily care about brand image and marketing, not about actual quality. End of story, you’re trapped between “we can do nothing” and “we don’t care.”
To know why Tor Project itself doesn’t speak on this matter, you’d need to wait for a reply from somebody from the project.
Are you aware of any articles from torproject or research papers confirming that hosting tor relay at your own IP does in fact help your own traffic blend in? Specifically for Tor? No. For exactly the same reason I can’t point you to any research that confirms, that downloading 500 kB/s and 200 kB/s over Tor requires 700 kB/s. It’s a trivial consequence of basic knowledge for the given field.
You are right, I might have been going too deep into weeds and missed that this was already addressed on tor relay operators FAQs: https://support.torproject.org/relay-operators/#relay-operators_better-anony... It confirms that running a relays helps operators own traffic to blend in and mitigate some attacks. It may seem trivial now, but I've learned not to make assumptions with higher risk projects like Tor.
participants (6)
-
bjewrn2a@anonaddy.com -
gerard@bulger.co.uk -
Marco Predicatori -
mpan -
Ron Risley -
s7r