[tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Aug 4 00:17:11 UTC 2011
#3678: Disallow more than one relay per country in a circuit
Reporter: cypherpunks | Owner:
Type: enhancement | Status: needs_information
Priority: major | Milestone:
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
Replying to [comment:7 rransom]:
> Replying to [comment:6 ioerror]:
> > It seems to me that it's a reasonable option. I've long advocated that
this should be a switch to flip, even if we're not sure it's safe to flip
it by default.
> This switch would change a client's path-selection behaviour in a way
that both entry nodes and exit nodes might be able to observe. If this
option is not turned on by default, it's not safe to turn this option on
That is not true. You are not actually able to evaluate my safety concerns
without more data. For example, we have ExcludeNodes and we allow country
specific exclusions. It may be bad for anonymity but it may be good for my
health to avoid certain nodes. For example: if a specific country would
raise major red flags for me if I used it as my entry node, I should be
able to avoid it. This is *not* safe by default but it's perfectly safe as
far as I'm concerned to tune Tor for this use case. There isn't a better
option for users.
> And so far, I have seen several people say that we should add this
option, but I have not seen anyone propose an actual reason to turn this
option on. What attack does this option defend against?
It depends. It would defend against accidentally building a three hop
circuit inside of a single country or continent.
> The !EnforceDistinctSubnets feature was added because of an actual
incident in which one ISP's customers ran a large portion of the Tor
network within one /16 (or smaller?) network. The reason that it's an
option at all (rather than hard-coded in the Tor source code like Tor's
refusal to build normal circuits that end at !BadExits or that have two
hops in the same ‘family’) is that developers and researchers who run
testing Tor networks on a LAN need to be able to turn it off. It's not
there just as a pistol for users who think they need ‘more anonymity’ to
shoot themselves in their feet with.
It's also there because Sybil protection is frankly, a really hard
problem. For ipv6, we're screwed unless we use much more general things.
And frankly, I'm not convinced it would be impossible to mount a nasty
attack given tunneling possibilities unless the network grows a bit more.
> > I think that it's important to consider that countries should be
grouped - so if we exclude canada more than once, we should also exclude
the USA at the same time - they're too close. I think I suggested the name
"PoliticallyAwareCircuits" or something similar.
> Who do you think should produce and maintain a list of groups of
countries that are ‘too close’?
I think that a list of continents is a pretty reasonable grouping; mother
nature solved this problem, I think.
> Do you think some European countries are ‘too close’ to the U.S.? If
so, how do you think they would react to being labeled as such?
No, I'm comfortable with a three hop circuit with one hop in the USA, one
in Europe and one elsewhere before visiting my destination outside of the
> Should The Tor Project ship an ‘official’ list specifying which
countries are ‘too close’? If two or more groups publish different lists,
and each group tells us that theirs is ‘better’ than the others, how
should we choose which one to ship?
This is why an option for users is a good idea - it allows people to
easily experiment and give good data for answers to these questions.
> If we shouldn't ship an ‘official’ list, how will users find a list to
use with their Tor client? If different users choose different lists,
will Tor's anonymity set be partitioned further?
There is no partitioning when there is nothing done by default.
> And last, but not least, ''what attack does this defend against''?
At the very least, it probably defends against an adversary that is able
to allocate a bunch of IPs in a single country on different /16.
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs