Is three hops enough? (was Re: Tor client over a SOCKS proxy, and Tor client running through another Tor Circuit)

Ringo Kamens 2600denver at
Fri Apr 28 12:04:19 UTC 2006

Well, that 1/3 statement is if every circuit were to be compromised. I have
noticed that there are some servers on the DoD Information Network (Kind of
like how NRC runs freenet nodes). I also noticed some servers at nato c3.
(They were blocked by peerguardian while I was trying to connect). I do
believe 5 is a good amount, and I'm interested on how to change it.

On 4/28/06, glymr <glymr_darkmoon at> wrote:
> Hash: RIPEMD160
> Anthony DiPierro wrote:
> > On 4/27/06, Ringo Kamens <2600denver at> wrote:
> >> I don't really see anything wrong with it if you really want to do it.
> It
> >> doesn't really increase anonymity, but it sounds good to me. I'm
> assuming
> >> that tor2 sees the ip address of the tor 1 exit node.
> >>
> >
> > The way I picture it it would basically be equivalent to adding extra
> > hops.  I remember reading this is possible to hack into the standard
> > tor software, but I believe it requires a recompile and not just a
> > config file tweak.
> >
> > Anyway, it is my understanding that the current default implementation
> > uses three hops.  Now am I correct that that includes the exit node?
> > Does it also include the entry node which is generally on the same
> > computer?
> this is incorrect, the entry node, middleman node and exit node are
> separate from the client. if one is running a tor server the entry
> node is indeed the same node but remember a tor server is shuffling
> every other packet from other circuits mixed in with yours, and thus
> it seems logical that it would improve anonymity
> > If so, it seems that in the current default implementation only one
> > compromised node, the middle node (working with the destination site),
> > is needed to significantly impact your anonymity.  The IP address of
> > the exit node is generally recorded in web logs along with the time
> > and date.  So if the middle node records the incoming and outgoing
> > node IP addresses, that can then be matched up with the web logs.  If
> > someone is using three hops the way I described it above, then the
> > incoming IP address would be the address of the tor user, right?
> > Sure, you'd have a little bit of plausible deniability, as there's no
> > proof your system was set up this way, but that's it.
> >
> > Now hopefully I'm just wrong about what constitutes three hops (or
> > that the default setting is three hops).  Or maybe I'm missing
> > something as to why this type of attack isn't possible.
> >
> > One thing seems almost certain, adding hops does increase the security
> > against a compromised node attack.
> >
> > Anthony
> a compromised node attack, on average, has to compromise 1/3 of the
> entire tor network to get somewhere approaching good odds of being
> able to identify the endpoints of circuits. possibly 2/3, but i'd say
> 1/3 of nodes being compromised would give usable violation of the
> system... as you may know, there is something like 300-400 servers in
> the tor network now, to compromise it they'd have to put up like
> 150-200 new compromised nodes, or hack and compromise 100-150, either
> task is not trivial at all.
> Version: GnuPG v1.4.3 (MingW32)
> Comment: Using GnuPG with Mozilla -
> x1xJp+DsGT/Oz9Shq63yr+A=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tor-talk mailing list