[tor-dev] Special-use-TLD support

[Jeremy Rand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/29/2015 07:39 AM, Jeff Burdges wrote:
> On Tue, 2015-09-29 at 00:59 +0000, Jeremy Rand wrote:
> 
>> The issue I do see is that SPV validation doesn't work well
>> unless you ask multiple peers to make sure that you're getting
>> the chain with the most PoW.  So I gather that this would require
>> connecting to Namecoin peers running on multiple exit nodes.  I
>> don't think that's problematic, but it would have to be taken
>> into account.
> 
> This is no different from validation for existing DNS results.
> Tor attempts to prevent this by building a list of bad exits, but
> it's challenging to catch an exit that attacks only one website.
> 
> You could check multiple peers but that costs you some anonymity.
> If you use many .bit names, this might expose the fact that you
> use Namecoin to your guard.

How does checking Namecoin peers on running on multiple exits cost
anonymity?  I'm not quite seeing what the attack is here.

> There are many Tor programs like Ricochet and Pond, and many
> websites, that should be detectable by a sufficiently dedicated
> guard, so that's not a compelling reason not to check multiple
> exits, but it requires consideration.
> 
> One could maybe design the Namecone shim to check obtain
> general-but -relevant information from multiple exits running the
> Namecoin client, but only obtain the actual result from one exit.
> Or maybe that's reinventing the SPV client.

Retrieving block headers from multiple exits, and then asking for a
specific domain's SPV proof from a single exit, will at least provide
reasonable assurance that the result was valid sometime in the past 8
months (expiry period for Namecoin names).  Once unspent name output
set commitments are added to the Namecoin block validation rules, it
will provide reasonable assurance that the result was valid as of
about 2 hours ago.  A single node could still censor updates from the
past 2 hours, which would not be the case if sufficient multiple nodes
are asked.

It might also be possible to download the full blocks from the last 2
hours (along with unmined transactions) from multiple peers.  This
wouldn't reveal which names you're asking for, would presumably be
only a few megabytes at startup (along with keeping up with incoming
transactions over time), and would be sufficient when combined with
SPV proofs from a single node to give you completely current data.

I'm still not seeing the attack that stems from asking multiple exits
for specific domains, though.  Can you elaborate?

Cheers,
- -Jeremy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWCrI8AAoJEAHN/EbZ1y06e4AP/R/yJ11lHVl6L4ardFkBeUEf
yztAUkX8TWGLBTufsedA9HpF6nxfysGXAZx1HttTrdACspxF533Zzxh8lU+sN0Ak
iprJlcqkgPdxrt9XWzgLcLbk1Sie1mjAQDuPYQTFg9KEin4JuCO71JpPVhJBIr4f
8rO6tvo6XQytwEVopdxpuiJ/ZavpVWzcM2iFucD6sfpVEPGLPBAyaIxygpVI6/+Y
MzV9krQJZChCr/dUiIzM8eVDe0IzgB7QOxvGK2R4VR1PVY35sfnVJu6gS+P11R/A
QkF96auYDQ/zzuBLrrYpW0xkvxbqqSyOdWSzSuv5qP61uRNWe5l3yG4Zagx1aB+q
hvU2P8Nlz0ZKGSwqt0zk+W70DaagOsaR9swzxKKCGtl2+tXkNmbHRzsbJN/PWKP1
liXBV57uxNVg7sfbxISrg2JRCclsMWqqyAYidJBdDCxzW4FE+VmIXU5iBwbiklWr
Ge3iDdgxomuw1F4ZHs3FjC/p7rWPhQOS12Y9mM9tYyISUSzqA10ANod7TGLbMTie
xDR0zrl5vDN/8B8RJSzPsOuHApTs98tzEn6pBjj90Z0yMKDlUyLcXRTtcIIDbS9q
vwyTPGUdxkuJW23DD8EuMTl0b3ulvCivirfZyujoCk4GyFQK6CAETfcnyDa4OIHK
cfjHcgazm+Izv5eI/1bx
=n6Jn
-----END PGP SIGNATURE-----