Is three hops enough? (was Re: Tor client over a SOCKS proxy, and Tor client running through another Tor Circuit)
glymr_darkmoon at ml1.net
Fri Apr 28 11:49:38 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Anthony DiPierro wrote:
> On 4/27/06, Ringo Kamens <2600denver at gmail.com> wrote:
>> I don't really see anything wrong with it if you really want to do it. It
>> doesn't really increase anonymity, but it sounds good to me. I'm assuming
>> that tor2 sees the ip address of the tor 1 exit node.
> The way I picture it it would basically be equivalent to adding extra
> hops. I remember reading this is possible to hack into the standard
> tor software, but I believe it requires a recompile and not just a
> config file tweak.
> Anyway, it is my understanding that the current default implementation
> uses three hops. Now am I correct that that includes the exit node?
> Does it also include the entry node which is generally on the same
this is incorrect, the entry node, middleman node and exit node are
separate from the client. if one is running a tor server the entry
node is indeed the same node but remember a tor server is shuffling
every other packet from other circuits mixed in with yours, and thus
it seems logical that it would improve anonymity
> If so, it seems that in the current default implementation only one
> compromised node, the middle node (working with the destination site),
> is needed to significantly impact your anonymity. The IP address of
> the exit node is generally recorded in web logs along with the time
> and date. So if the middle node records the incoming and outgoing
> node IP addresses, that can then be matched up with the web logs. If
> someone is using three hops the way I described it above, then the
> incoming IP address would be the address of the tor user, right?
> Sure, you'd have a little bit of plausible deniability, as there's no
> proof your system was set up this way, but that's it.
> Now hopefully I'm just wrong about what constitutes three hops (or
> that the default setting is three hops). Or maybe I'm missing
> something as to why this type of attack isn't possible.
> One thing seems almost certain, adding hops does increase the security
> against a compromised node attack.
a compromised node attack, on average, has to compromise 1/3 of the
entire tor network to get somewhere approaching good odds of being
able to identify the endpoints of circuits. possibly 2/3, but i'd say
1/3 of nodes being compromised would give usable violation of the
system... as you may know, there is something like 300-400 servers in
the tor network now, to compromise it they'd have to put up like
150-200 new compromised nodes, or hack and compromise 100-150, either
task is not trivial at all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the tor-talk