[metrics-bugs] #21315 [Circumvention/Snowflake]: publish some realtime stats from the broker?

Thu May 16 21:29:11 UTC 2019

#21315: publish some realtime stats from the broker?
-------------------------------------+--------------------------------
 Reporter:  arma                     |          Owner:  (none)
     Type:  enhancement              |         Status:  needs_revision
 Priority:  Medium                   |      Milestone:
Component:  Circumvention/Snowflake  |        Version:
 Severity:  Normal                   |     Resolution:
 Keywords:                           |  Actual Points:
Parent ID:  #29461                   |         Points:
 Reviewer:  irl                      |        Sponsor:  Sponsor19
-------------------------------------+--------------------------------
Changes (by irl):

 * status:  needs_information => needs_revision

Comment:

 Number of currently available snowflake proxies is not sensitive. We do
 not make any efforts to hide the numbers of relays or bridges, and so this
 can be an exact count. The question here is not the count resolution but
 the time resolution. (Sorry to answer your question with a question.)

 If I'm an attacker, can I learn anything about a client if I can observe
 the client's traffic and the exact count of snowflakes. For example, what
 do I learn if a snowflake that a client is using disappears? I'm not sure
 what the snowflake protocol does in this case.

 I'm not sure what you mean with the GeoIP stats. If these are stats
 regarding the locations of proxies, again exact counts would be fine and
 would be in line with what we do for relays and bridges at the moment. If
 this is for clients, we should aim to provide differential privacy. I fear
 that at the moment, we are not seeing enough users that we can safely
 report GeoIP stats (usefully) for clients at all. With relays and bridges,
 we round the counts up to the nearest multiple of 8.

 Round trip time of snowflake rendezvous sounds like a really useful metric
 for engineering work, but a dangerous one for safety. This would be a good
 candidate for PrivCount but without such a technique I wouldn't do this
 one. We currently measure performance of relays using active measurement,
 such that we are only analyzing our own traffic. We have extended that
 tool, OnionPerf, to also work for pluggable transports but it will do the
 end-to-end performance not just client->snowflake.

 Can you lay out in detail exactly what metrics you'd want, what resolution
 data you want (both in counts and in time) and what you might consider an
 attacker could learn, assuming they are in a position to monitor, or are
 running, a point in the network?

 Section 2.1.2 of dir-spec contains some examples of descriptions of
 metrics.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21315#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online