[tor-relays] Electronic surveillance on major tor exits
survivd at gmail.com
Mon Jul 23 21:03:24 UTC 2012
This is in response to something from Roger's email on funding exit
relays, but I didn't want to derail such an important conversation by
"At the same time, much of our performance improvement comes
from better load balancing -- that is, concentrating traffic on
that can handle it better. The result though is a direct tradeoff with
relay diversity: on today's network, clients choose one of the
exit relays around 25-30% of the time, and 80% of their choices come
from a pool of 40-50 relays."
This has probably been discussed before, but the first thing that came
to my mind was, "how does this simplify surveillance of tor traffic
flows?" I know we badly need the performance improvement to continue
moving Tor into the mainstream, but when it comes at the cost of a huge
amount of all tor requests are exiting through a small subset of nodes,
are we baking in a serious vulnerability?
Most Tor users probably don't read the manual and follow best
practices. I'm sure we've all seen traffic where users are using google
maps to find directions from their home, or logging into their true-name
mail accounts. When you combine this "State of our Method" with a choke
on the number
For monied countries that practice aggressive electronic surveillance
(China, Russia, and the larger western states), it becomes more and more
tempting to set up (or subvert) expensive, fast exits (with tshark and
an SSL-stripper on it) and be guaranteed significant amounts of traffic
from people that they view as having something to hide. And if the same
routing calculus applies to non-exit nodes, they can do the same thing
on the non-exit layers, not only improving their correlation attacks,
but creating a plausible chance of controlling some tunnels end-to-end.
I don't think that's a good situation for anybody other than the monitors.
I know that this is one of the reasons why "more nodes" is the largest
everyday push (I went from 1 to 3 in the last month), and "we're working
on it," and the node-funding push should help some of this, but I think
it's important to review what direction relay diversity is heading in
the long-term when the metrics start leaning in a certain way.
More information about the tor-relays