[tor-dev] Different trust levels using single client instance

bancfc at openmailbox.org bancfc at openmailbox.org
Fri Oct 21 20:38:45 UTC 2016

Summarized question:

Do you recommend allowing Workstation VMs of different security levels 
to communicate with the same Tor instance? Note that they connect via 
separate internal networks to the Gateway and have different interfaces 
& controlports so inter-workstation communication should not be 

Single Tor Gateway, Multiple Workstations

*Same guard node means less chance of picking a malicious one
*Single Gateway VM uses less resources

*Some unforeseen way malicious VM "X" can link activities of or 
influence traffic of VM "Y"
**Maybe sending NEWNYM requests in a timed pattern that changes exit IPs 
of VM Y's traffic, revealing they are behind the same client?
**Maybe eavesdropping on HSes running on VM Y's behalf?
**Something else we are not aware of?

Multi-Tor Gateways mapped 1:1 to Workstation VMs

*Conceptually simple. Uses a different Tor instance so no need to worry 
about all these questions.

*Uses a different entry guard which can increase chance of running into 
a malicious relay that can deanonymize some of the traffic.
* Uses extra resources (though not much as a Tor Gateway can run with as 
little as 192MB RAM)

More information about the tor-dev mailing list