[tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Aug 4 00:17:11 UTC 2011

#3678: Disallow more than one relay per country in a circuit
 Reporter:  cypherpunks  |          Owner:                   
     Type:  enhancement  |         Status:  needs_information
 Priority:  major        |      Milestone:                   
Component:  Tor Client   |        Version:                   
 Keywords:               |         Parent:                   
   Points:               |   Actualpoints:                   

Comment(by ioerror):

 Replying to [comment:7 rransom]:
 > Replying to [comment:6 ioerror]:
 > > It seems to me that it's a reasonable option. I've long advocated that
 this should be a switch to flip, even if we're not sure it's safe to flip
 it by default.
 > This switch would change a client's path-selection behaviour in a way
 that both entry nodes and exit nodes might be able to observe.  If this
 option is not turned on by default, it's not safe to turn this option on
 at all.

 That is not true. You are not actually able to evaluate my safety concerns
 without more data. For example, we have ExcludeNodes and we allow country
 specific exclusions. It may be bad for anonymity but it may be good for my
 health to avoid certain nodes. For example: if a specific country would
 raise major red flags for me if I used it as my entry node, I should be
 able to avoid it. This is *not* safe by default but it's perfectly safe as
 far as I'm concerned to tune Tor for this use case. There isn't a better
 option for users.

 > And so far, I have seen several people say that we should add this
 option, but I have not seen anyone propose an actual reason to turn this
 option on.  What attack does this option defend against?

 It depends. It would defend against accidentally building a three hop
 circuit inside of a single country or continent.

 > The !EnforceDistinctSubnets feature was added because of an actual
 incident in which one ISP's customers ran a large portion of the Tor
 network within one /16 (or smaller?) network.  The reason that it's an
 option at all (rather than hard-coded in the Tor source code like Tor's
 refusal to build normal circuits that end at !BadExits or that have two
 hops in the same ‘family’) is that developers and researchers who run
 testing Tor networks on a LAN need to be able to turn it off.  It's not
 there just as a pistol for users who think they need ‘more anonymity’ to
 shoot themselves in their feet with.

 It's also there because Sybil protection is frankly, a really hard
 problem. For ipv6, we're screwed unless we use much more general things.
 And frankly, I'm not convinced it would be impossible to mount a nasty
 attack given tunneling possibilities unless the network grows a bit more.

 > > I think that it's important to consider that countries should be
 grouped - so if we exclude canada more than once, we should also exclude
 the USA at the same time - they're too close. I think I suggested the name
 "PoliticallyAwareCircuits" or something similar.
 > Who do you think should produce and maintain a list of groups of
 countries that are ‘too close’?

 I think that a list of continents is a pretty reasonable grouping; mother
 nature solved this problem, I think.

 > Do you think some European countries are ‘too close’ to the U.S.?  If
 so, how do you think they would react to being labeled as such?

 No, I'm comfortable with a three hop circuit with one hop in the USA, one
 in Europe and one elsewhere before visiting my destination outside of the
 Tor network.

 > Should The Tor Project ship an ‘official’ list specifying which
 countries are ‘too close’?  If two or more groups publish different lists,
 and each group tells us that theirs is ‘better’ than the others, how
 should we choose which one to ship?

 This is why an option for users is a good idea - it allows people to
 easily experiment and give good data for answers to these questions.

 > If we shouldn't ship an ‘official’ list, how will users find a list to
 use with their Tor client?  If different users choose different lists,
 will Tor's anonymity set be partitioned further?

 There is no partitioning when there is nothing done by default.

 > And last, but not least, ''what attack does this defend against''?

 At the very least, it probably defends against an adversary that is able
 to allocate a bunch of IPs in a single country on different /16.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list