[tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit

[Tor Bug Tracker & Wiki]

#3678: Disallow more than one relay per country in a circuit
-------------------------+--------------------------------------------------
 Reporter:  cypherpunks  |          Owner:                     
     Type:  enhancement  |         Status:  needs_information  
 Priority:  major        |      Milestone:  Tor: very long term
Component:  Tor Client   |        Version:                     
 Keywords:               |         Parent:                     
   Points:               |   Actualpoints:                     
-------------------------+--------------------------------------------------
Changes (by proper):

 * cc: proper@… (added)


Comment:

 I don't want to trivialize the problem with the internet exchange points.
 Research and a solution is still required. But let's put that attack aside
 for a moment, as this attack is not yet used in the wild against Tor
 users.

 More critical at the moment is, that single countries can force their
 country's Tor relays, to log, through to a surveillance court order.
 During the investigation (depending on their local law) the local Tor
 relay operators may not even publish, that they are forced to log.

 The adversary has to wait until their target uses a circuit with all three
 hops in their country.

 As an intermediate solution, I suggest to stop using more than one country
 per circuit. That would require at least three countries to cooperate and
 to force their Tor node operators to log.

 Implementing this as an intermediate solution would also require the
 adversary to use more expensive, sophisticated attacks than country wide
 passive logging for Tor nodes.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online