[tor-commits] r26864: {website} more updates on the 'change your path length' faq entry (website/trunk/docs/en)

Roger Dingledine arma at torproject.org
Sat Jul 12 10:54:19 UTC 2014 

Author: arma
Date: 2014-07-12 10:54:19 +0000 (Sat, 12 Jul 2014)
New Revision: 26864

Modified:
   website/trunk/docs/en/faq.wml
Log:
more updates on the 'change your path length' faq entry


Modified: website/trunk/docs/en/faq.wml
===================================================================
--- website/trunk/docs/en/faq.wml	2014-07-12 01:22:08 UTC (rev 26863)
+++ website/trunk/docs/en/faq.wml	2014-07-12 10:54:19 UTC (rev 26864)
@@ -4232,21 +4232,24 @@
  example if you're accessing a hidden service or a ".exit" address it could be 4.
 </p>
 <p>
- We don't want to encourage people to use paths longer than this -- it
+ We don't want to encourage people to use paths longer than this — it
  increases load on the network without (as far as we can tell) providing
- any more security. In fact, using paths longer than 3 could harm anonymity 
- ("Oh, there's that person who changed her path length again"). Remember that 
+ any more security. Remember that 
 <a href="https://svn.torproject.org/svn/tor/trunk/doc/design-paper/tor-design.html#subsec:threat-model">
  the best way to attack Tor is to attack the endpoints and ignore the middle
  of the path</a>.
+ Also, using paths longer than 3 could harm anonymity, first because
+ it makes <a href="http://freehaven.net/anonbib/#ccs07-doa">"denial of
+ security"</a> attacks easier, and second because it could act as an
+ identifier if only a few people do it ("Oh, there's that person who
+ changed her path length again").
 </p>
 <p>
  And we don't want to encourage people to use paths of length 1 either.
- Currently  there is no reason to suspect that investigating a single
- relay will yield  user-destination pairs, but if many people are using
+ Currently there is no reason to suspect that investigating a single
+ relay will yield user-destination pairs, but if many people are using
  only a single hop, we make it more likely that attackers will seize or
- break into relays in hopes
- of tracing users.
+ break into relays in hopes of tracing users.
 </p>
 <p>
  Now, there is a good argument for making the number of hops in a path
@@ -4255,8 +4258,10 @@
  for sure which entry node you used. Choosing path length from, say,
  a geometric distribution will turn this into a statistical attack,
  which seems to be an improvement. On the other hand, a longer path
- length is bad for usability. We're not sure of the right trade-offs
- here. Please write a research paper that tells us what to do.
+ length is bad for usability, and without further protections it seems
+ likely that an adversary can estimate your path length anyway. We're
+ not sure of the right trade-offs here. Please write a research paper
+ that tells us what to do.
 </p>
 
     <hr>

More information about the tor-commits mailing list