[tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Aug 4 17:45:41 UTC 2011 

#3678: Disallow more than one relay per country in a circuit
-------------------------+--------------------------------------------------
 Reporter:  cypherpunks  |          Owner:                   
     Type:  enhancement  |         Status:  needs_information
 Priority:  major        |      Milestone:                   
Component:  Tor Client   |        Version:                   
 Keywords:               |         Parent:                   
   Points:               |   Actualpoints:                   
-------------------------+--------------------------------------------------

Comment(by nickm):

 Replying to [comment:15 hellais]:
 [...]
 > I don't think it's a good idea for The Tor Project to ship an 'official'
 list. People should build one based on their own needs and independent
 organizations will be responsible for explaining the reasoning behind them
 and to what sort of case scenario they apply to.

 The anonymity implications of this idea are very worrisome: see the
 "Anonymity Loves Company" paper that I did with Roger for the basic
 argument here.

 In brief: if we're going to push the responsibility for mapping global
 backbone eavesdropping and data aggregation onto our users, then we'd
 better make sure that this is  something they can be reasonably expected
 to do, and we had better make sure that having everybody do so in their
 own way will not partition the network traffic in a way that actually
 makes the attacker's job easier.

 > > If we shouldn't ship an ‘official’ list, how will users find a list to
 use with their Tor client?  If different users choose different lists,
 will Tor's anonymity set be partitioned further?
 > >
 > > And last, but not least, ''what attack does this defend against''?
 >
 > I believe this feature will not be used by everybody, just by people
 that are worried about a large scale targeted attack. Let me further
 explain:
 > It is a fact that the technology exists and it is being deployed capable
 of collection information on Terabit networks [2] . It is not so far
 fetched to believe that if a big government wishes to target a specific
 individual he will request information on that person from various other
 countries with which they are allied. By making circuit building sensible
 to the relationships that exists amongst countries, you are making this
 information sharing much harder (e.s. would it be easy for the Swiss
 government to get traffic dumps from Ukraine?).
 >
 > So to synthesize we are trying to prevent traffic analysis and
 correlation when allied countries collude against one individual.

 So let's analyze that.

 Say, for example, that the EU countries are all out to get me, and they
 are going to do so by eavesdropping all the communications under their
 control and doing full traffic correlation.  Suppose that I know this, and
 declare that my circuits must never have more than one node in the EU.
 Does the proposed routing change '''actually help'''?

 It doesn't help much if I'm in the EU: when my exit node is in the EU,
 they can correlate me fine.  And it doesn't help if I'm outside of the EU
 and visiting EU websites: if my entry node is in the EU, then correlation
 will still work fine.

 So, let's suppose that I'm not in the EU and I never visit EU websites,
 otherwise this whole business is hopeless.

 Even then, I'm still not in the clear: sometimes the path to my first hop
 will travel through the EU and I'll wind up with an EU exit node; or the
 path from my last hop to my destination will travel through the EU and
 I'll wind up with an EU entry node.  (Or even if I just say "ExcludeNodes
 {..all the EU..}", sometimes I'll wind up having both the path from me to
 my entry ''and'' from my exit to my destination pass through the EU.)  So
 it still seems that the attack will still succeed pretty often if the
 attacker can see a reasonably large (geographic) portion of the backbone.

 Now, I don't deny that this option is a ''cosmetic'' improvement: I can
 easily see a person (say) in the US worried about EU snooping being more
 comfortable with a circuit that goes {client in US} -> {DE} -> {JP} ->
 {RU} -> {website in IE} than with a circuit that goes {client in US} ->
 {DE} -> {US} -> {DE} -> {website in IE}.  But -- and here's the important
 point -- I think that this increased comfort is probably ''only''
 cosmetic.  If the EU exchanges are eavesdropped, then the US->DE and
 RU->IE last hop are quite likely to pass through some exchanges in common.

 So a large fraction of my circuits will still get snooped.  If we believe
 in statistics, then having a random sample of my stuff get snooped is
 approximately as bad as having the whole thing get snooped.


 And that's why I'm not convinced.  I'm not interested only in an improved
 ''sense'' of security unless it materially increases actual resistance
 against a real attacker.  So in order to argue for any feature like this,
 I want to see the analysis that shows that I'm wrong in my above and there
 ''is'' a real improvement, or I want to see an improved routing algorithm
 that doesn't fall to the analysis above.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list