Is three hops enough? (was Re: Tor client over a SOCKS proxy, and Tor client running through another Tor Circuit)

glymr glymr_darkmoon at ml1.net
Fri Apr 28 12:11:41 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
 
Ringo Kamens wrote:
> Well, that 1/3 statement is if every circuit were to be
> compromised. I have noticed that there are some servers on the DoD
> Information Network (Kind of like how NRC runs freenet nodes). I
> also noticed some servers at nato c3. (They were blocked by
> peerguardian while I was trying to connect). I do believe 5 is a
> good amount, and I'm interested on how to change it.
>
> On 4/28/06, *glymr* <glymr_darkmoon at ml1.net
> <mailto:glymr_darkmoon at ml1.net>> wrote:
>
> Anthony DiPierro wrote:
>> On 4/27/06, Ringo Kamens < 2600denver at gmail.com
> <mailto:2600denver at gmail.com>> wrote:
>>> I don't really see anything wrong with it if you really want
> to do it. It
>>> doesn't really increase anonymity, but it sounds good to me.
> I'm assuming
>>> that tor2 sees the ip address of the tor 1 exit node.
>>>
>
>> The way I picture it it would basically be equivalent to
> adding extra
>> hops.  I remember reading this is possible to hack into the
> standard
>> tor software, but I believe it requires a recompile and not just
>> a config file tweak.
>
>> Anyway, it is my understanding that the current default
> implementation
>> uses three hops.  Now am I correct that that includes the exit
> node?
>> Does it also include the entry node which is generally on the
>> same computer?
> this is incorrect, the entry node, middleman node and exit node are
>  separate from the client. if one is running a tor server the entry
>  node is indeed the same node but remember a tor server is
> shuffling every other packet from other circuits mixed in with
> yours, and thus it seems logical that it would improve anonymity
>> If so, it seems that in the current default implementation
> only one
>> compromised node, the middle node (working with the
> destination site),
>> is needed to significantly impact your anonymity.  The IP
> address of
>> the exit node is generally recorded in web logs along with the
> time
>> and date.  So if the middle node records the incoming and
>> outgoing node IP addresses, that can then be matched up with the
>> web
> logs.  If
>> someone is using three hops the way I described it above, then
> the
>> incoming IP address would be the address of the tor user, right?
>> Sure, you'd have a little bit of plausible deniability, as
> there's no
>> proof your system was set up this way, but that's it.
>
>> Now hopefully I'm just wrong about what constitutes three hops
>> (or that the default setting is three hops).  Or maybe I'm
>> missing something as to why this type of attack isn't possible.
>
>> One thing seems almost certain, adding hops does increase the
> security
>> against a compromised node attack.
>
>> Anthony
> a compromised node attack, on average, has to compromise 1/3 of the
>  entire tor network to get somewhere approaching good odds of being
>  able to identify the endpoints of circuits. possibly 2/3, but i'd
> say 1/3 of nodes being compromised would give usable violation of
> the system... as you may know, there is something like 300-400
> servers in the tor network now, to compromise it they'd have to put
> up like 150-200 new compromised nodes, or hack and compromise
> 100-150, either task is not trivial at all.
i think that it would be useful if someone would make a peerguardian
list of possibly suspect nodes so people could run them with tor to
help defend against this problem
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFEUgZ9+KihKRqTxu4RA4yAAJ4rYJ0arxYzasMGHTEZoqcqH5AtsACffQZ/
p7BBiuDfV9nGKz9PYBmNGaA=
=3ti/
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list