[tor-bugs] #2764 [Tor Bridge]: analyze security tradeoffs from using a socks proxy vs a bridge to reach the Tor network

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Mar 15 23:09:53 UTC 2011 

#2764: analyze security tradeoffs from using a socks proxy vs a bridge to reach
the Tor network
------------------------+---------------------------------------------------
 Reporter:  arma        |          Owner:                     
     Type:  task        |         Status:  new                
 Priority:  normal      |      Milestone:  Deliverable-May2011
Component:  Tor Bridge  |        Version:                     
 Keywords:              |         Parent:                     
   Points:              |   Actualpoints:                     
------------------------+---------------------------------------------------
 At the beginning of the bridge design, we decided to use a building block
 we'd already written (a "relay") for the proxy step. This strategy gave us
 several practical advantages:
 - The code was already written, so we didn't have to write new proxy
 programs.
 - The packages already exist so we don't have any new portability worries.
 - People already have an incentive to install the Tor program, so we'd get
 more bridges.
 - It's easier to extend our code to collect and publish statistics like
 load, number of users, geoip lookups on the users, etc
 - We could reuse the directory authority design to run a bridge authority
 that does reachability checking, collects bridge descriptors, annotates
 which ones are Running/Stable/etc, exports them to bridgedb, and so on.

 But from a *security* perspective (for a broad definition of security), is
 there really any difference between a socks proxy and a bridge relay?

 One difference is that the socks handshake is in the clear, so if you're
 asking to connect to a public Tor relay, an observer can see its IP
 address and realize that you're using socks to reach the Tor network. We
 could imagine workarounds here where the socks proxy chooses its
 destination independent of the address you ask for, either by hard-coding
 a bridge address, hard-coding a public relay address, or round-robining
 you among several. Depending on which we choose, the Tor client would have
 to learn to not freak out when it gets the wrong guy on the other end.

 Another difference is that the traffic coming into the bridge is crypted
 differently than the traffic coming out of it (both via link encryption on
 each side and at a layer underneath that). Are there any adversaries that
 this traffic rewriting step stymies in any way?

 What other considerations am I missing?

 (I don't mean to throw away the bridge notion. But -- if it's safe -- I
 want to supplement it with an alternative, for people who don't want to
 run a whole Tor bridge, either due to resource constraints (Tor router) or
 complexity constraints (imagine a flash plugin that proxies incoming
 traffic to a "real" Tor relay).)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2764>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list