[tor-dev] resistance to rubberhose and UDP questions
rransom.8774 at gmail.com
Thu Oct 4 17:50:47 UTC 2012
On 10/4/12, Eugen Leitl <eugen at leitl.org> wrote:
> I've had an IRC session with the designer of cjdns (on cjdns)
> who made a few interesting points, and suggestions. Comments?
> Verbatim chat snip below.
> 18:03 <@cjd> if you took the components from cjdns, you could build a TOR
> like protocol which used UDP if
> possible and made connections much faster
> 18:04 <+eleitl> I wonder why they didn't choose UDP
Presumably because TCP was easier.
> 18:05 <@cjd> you need to fall back on tcp in case you're firewalled to hell
> 18:05 <+eleitl> Apparently, they're thinking about it
Yes. TCP was a bad choice for Tor.
> 18:06 <@cjd> problem with tor is (correct me if I)
> 18:06 <@cjd> 'm wrong)
> 18:06 <@cjd> the directory is signed by the tor foundation
> 18:07 <@cjd> so they can sign a fake directory and run a bunch of directory
> servers and when Alice connects to
> their directory server, they give her a bunch of fake nodes
The v3 network consensus document must be signed by a majority of the
(currently nine) directory authorities' signing keys. None of the
directory authorities are operated by Tor Project, Inc..
> 18:07 <@cjd> run their own botnet with fake tor nodes so your circuit is
> always owned
TPI does not have the expertise needed to run a botnet for this purpose.
> 18:07 <+eleitl> I don't really know for sure, but there's intrinsic trust to
> Tor developers, yes.
> 18:08 <+eleitl> You can run your own Tor network, though.
> 18:08 <+eleitl> Some botnets do that.
Interesting. Do you have a reference describing one of these botnets?
> 18:08 <@cjd> I trust them to make the software right, esp. since I could
> check if they did.
> 18:09 <@cjd> But a little arm twisting can change someone's motives pretty
> 18:09 <+eleitl> Maintaining signing secrets is a problem.
> 18:09 <+eleitl> They should have used a P2P design.
Do you have a ‘P2P design’ for Tor which doesn't rely on trusted
parties ‘maintaining signing secrets’ and which isn't broken?
(Hint: No, you don't.)
Do you have any ‘P2P design’ for Tor at all which isn't broken?
> 18:10 <@cjd> If someone (with government hat?) tells you they can make your
> life hell... I wouldn't fault them
> for doing what the man says.
> 18:10 <@cjd> *wouldn't fault you
> 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario,
> and see how they squirm.
> 18:11 <+eleitl> Also, the UDP connection thing.
> 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP
> 18:11 <@cjd> stack -> all headers in the same packet
> 18:12 <@cjd> cjdns does the same thing
If this refers to including the circuit-extension packet which caused
a relay to open an OR connection in the first UDP packet that it sends
in order to open that connection, I agree that that would be a good
thing to do, although mostly for reasons that cjd isn't mentioning.
If this refers to setting up a complete three-node Tor circuit with
only one outgoing packet sent by the client, that can be implemented
without a UDP-based transport (and early versions of Tor did implement
More information about the tor-dev