Proposal: Bring Back PathlenCoinWeight

Mike Perry mikeperry at fscked.org
Thu Apr 19 22:45:37 UTC 2007 

I love replying to myself. I can't resist doing it. Sorry. "Think twice
post once" is a concept totally lost on me, especially when I'm wrong
the first two times ;)


Thus spake Mike Perry (mikepery at fscked.org):

> Why not fix Pathlen=2?:
> 
>   The main reason I am not advocating that we always use 2 hops is that 
>   in some situations, timing correlation evidence by itself may not be 
>   considered as solid and convincing as an actual, uninterrupted, fully 
>   traced path. Are these timing attacks as effective on a real network 
>   as they are in simulation? Would an extralegal adversary or authoritarian 
>   government even care? In the face of these situation-dependent unknowns, 
>   it should be up to the user to decide if this is a concern for them or not.

Hrmm.. it should probably also be noted that even a false positive
rate of 1% for a 200k concurrent-user network could mean that for a
given node, a given stream could be confused with something like 10
users, assuming ~200 nodes carry most of the traffic (ie 1000 users
each). Though of course to really know for sure, someone needs to do
an attack on a real network, unfortunately.

For this reason this option should instead be represented not as a
slider, but as a straight boolean value, at least in Vidalia.

Perhaps something like a radiobutton: 

 * "I use Tor for Censorship Resistance, not Anonymity. Speed is more
    important to me than Anonymity."
 * "I use Tor for Anonymity. I need extra protection at the cost of speed."

and then some explanation in the help for exactly what this means, and
the risks involved with eliminating the adversary's need for timing attacks 
wrt to false positives, etc.

This radio button can then also be used to toggle Johannes's work,
should it be discovered that using latency/bandwidth measurements
gives the adversary some information as to your location or likely
node choices. Or we can create a series of choices along these lines
as more load balancing/path choice optimizations are developed.

---- 

So what does this change mean wrt to the proposal process? Should I
submit a new proposal? I'm still on the fence if the underlying torrc
option and Tor implementation should be a coin weight or a fixed
value, so at this point really all this changes is the proposed
Vidalia behavior (Vidalia is an imporant part of this proposal,
because it would be nice to take 33% of the load off the network for
all users who do not need 3 hops).


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

More information about the tor-dev mailing list