Exit guards?

Paul Syverson syverson at itd.nrl.navy.mil
Wed Sep 19 12:47:10 UTC 2007


On Tue, Sep 18, 2007 at 10:12:45PM -0700, Michael_google gmail_Gersten wrote:
> Thinking about the "evil exit node" issue, I'm wondering: Do we need
> exit guards?
> 
> Entry guards aren't magical. Without entry guards, you will eventually
> hit a path with both the entry and exit node under control of the
> attacker, and your anonymity is lost.
> 
> Same idea for exit guards. Not magical. But now you have a chance that
> your information won't be lost to a bad node, while without them you
> will eventually hit a bad exit node.

A problem is that entry guards are subject to profiling, albeit
pseudonymous profiling by the middle node and, to some extent, others
watching the communication out of the entry guards.  We showed this
empirically in "Locating Hidden Servers" (the place where entry guards
for Tor were fist described). Lasse's experiments found the set of
entry guards for hidden services.  (Cf. also "Low-Resource Routing
Attacks Aganst Tor" by Bauer et al. for related but distinct issues
and explication and study of some of our attacks extended to ordinary
Tor circuits.)  In any case, this is perhaps not too bad if the exit is
honest.

Once we've added exit guards, the only element that is random per
circuit is the middle node, which can now profile both entries and
exits and their correlations. Hostile middle nodes can thus build
profiles and decide which nodes are worth further investigation/attack
in virtue of being part of interesting entry-exit pairs. Probably the
real answer is to just have relatively trusted whole paths, if you can
get them while maintaining sufficient anonymity and you can make sense
of adequate trust. For the general user this is probably not feasible,
and s/he will need to have entry or exit guards but not both, usually
entry guards since it is the client IP address that we more want to
protect. (But not always: imagine you are in a hotel room somewhere
for a day and you want to connect to a server at work or that you
own. In that case it is where you are headed that matters more.)
Hopefully I will have worked out much of this in a more rigorous
fashion before, well, too long.

aloha,
Paul



More information about the tor-dev mailing list