[tor-dev] Proposal 273: Exit relay pinning for web services
Roger Dingledine
arma at mit.edu
Sat Oct 15 23:24:19 UTC 2016
On Sat, Oct 15, 2016 at 07:02:19PM -0400, Aaron Johnson wrote:
> A concern with this proposal that I have not seen mentioned is that exit
>pinning would cause the Tor path itself to leak more information about
>the intended destination. For example, a destination could (possibly
>without malicious intent) pin a single exit that is otherwise unlikely
>to be used. Simply choosing that exit would thus make it appear much more
>likely to be visiting that destination from the view of an adversary that
>can identify the exit (e.g. by being chosen as the middle relay or by
>performing a congestion attack that identifies relays on a circuit). This
>gets worse when connections can be linked together as originating at the
>same client because without pinning it is unlikely to repeatedly choose
>the same exit (or from any small set of exits). Connections can be linked
>as originating at the same client by the guard (or anybody observing a
>guard) or by middle relays that observe the same guard being used in a
>short period of time, indicating activity by the same client.
Whenever the Tor client gets told which exit to use for a circuit, it
uses a 4-hop path for that circuit, i.e., it uses 3 hops like normal
and then the fourth hop is the chosen exit.
Though it's actually more complex than that, because if it knows it'll
be using a 4-hop circuit, the 2nd and 3rd hop are both chosen like
middles, so "like normal" is not wholly true. It's effectively like
choosing a 3-hop internal circuit and then appending your chosen exit.
So some of the attacks you worry about shouldn't work, but I bet some
of them still would.
--Roger
More information about the tor-dev
mailing list