[tor-relays] Electronic surveillance on major tor exits

Name Withheld survivd at gmail.com
Mon Jul 23 21:03:24 UTC 2012 

This is in response to something from Roger's email on funding exit 
relays, but I didn't want to derail such an important conversation by 
responding directly.

He mentioned:

      "At the same time, much of our performance improvement comes
      from better load balancing -- that is, concentrating traffic on 
the relays
      that can handle it better. The result though is a direct tradeoff with
      relay diversity: on today's network, clients choose one of the 
fastest 5
      exit relays around 25-30% of the time, and 80% of their choices come
      from a pool of 40-50 relays."

This has probably been discussed before, but the first thing that came 
to my mind was, "how does this simplify surveillance of tor traffic 
flows?"  I know we badly need the performance improvement to continue 
moving Tor into the mainstream, but when it comes at the cost of a huge 
amount of all tor requests are exiting through a small subset of nodes, 
are we baking in a serious vulnerability?

Most Tor users probably don't read the manual and follow best 
practices.  I'm sure we've all seen traffic where users are using google 
maps to find directions from their home, or logging into their true-name 
mail accounts.  When you combine this "State of our Method" with a choke 
on the number

For monied countries that practice aggressive electronic surveillance 
(China, Russia, and the larger western states), it becomes more and more 
tempting to set up (or subvert) expensive, fast exits (with tshark and 
an SSL-stripper on it) and be guaranteed significant amounts of traffic 
from people that they view as having something to hide.  And if the same 
routing calculus applies to non-exit nodes, they can do the same thing 
on the non-exit layers, not only improving their correlation attacks, 
but creating a plausible chance of controlling some tunnels end-to-end.  
I don't think that's a good situation for anybody other than the monitors.

I know that this is one of the reasons why "more nodes" is the largest 
everyday push (I went from 1 to 3 in the last month), and "we're working 
on it," and the node-funding push should help some of this, but I think 
it's important to review what direction relay diversity is heading in 
the long-term when the metrics start leaning in a certain way.

More information about the tor-relays mailing list