Tor blocking german nodes
Roger Dingledine
arma at mit.edu
Sun Nov 25 13:26:52 UTC 2007
On Sat, Nov 24, 2007 at 10:44:17AM +0100, Andrew wrote:
> Sadly, what you say is true. Precautions have to be implemented in Tor
> that no more than one node from Germany is chosen for any connection. We
> should ask tor development to implement such a feature until 12/2008,
> and have it activated automatically before the end of next year.
Alas, I fear it's more complex than that. There are two anonymity-related
issues that people here aren't considering enough:
a) Tor's security doesn't come from having any single honest (unobserved)
relay on the path. It comes from the adversary not being able to see
(measure) traffic on both ends of the circuit. See e.g.
http://freehaven.net/anonbib/#danezis:pet2004
So for example if the destination website is in Germany, and it logs all
the packets it sees, then a logging entry relay would be sufficient to
give away the game.
b) If the Tor relay's ISP is logging enough, then it doesn't matter what
the Tor relay itself logs. I'm still hoping to hear an answer to Mike
Perry's question at
http://archives.seul.org/or/talk/Nov-2007/msg00146.html
Then see http://freehaven.net/anonbib/#murdoch-pet2007
If sufficient logging becomes pervasive at the ISP or IX level, then it
would seem that either we'll need to excise those jurisdictions from the
Tor network (and worse, give up on providing anonymity to users there),
or work on anonymity designs that tolerate this level of attack while
still remaining usable.
And that's where the actual definition of "traffic headers" or "traffic
data" becomes critical -- and as I understand it, nobody yet knows
what definitions will be used in practice. So it is premature to start
deploying any alternate designs.
But yes, if it gets to that point, we will be working hard on ways to
avoiding leaving as many tracks in these large central databases. Even
if I entirely trusted the authorities to only use the data in critical
situations, what scares me most is the poor track record of large
organizations at securing huge piles of sensitive data. We don't have
to look very far for stunning examples of data leaks. These extra
requirements like realtime access just make the task even more impossible.
> But please, everybody, do not overreact by blocking german tor nodes.
> The law will only have an effect for tor operators by the beginning of
> 2009, and I doubt anyone will start logging before that.
Right. If you would like to start logging early, please instead turn
off your Tor relay.
And if the authorities try to force you to start logging early, please
also turn off your Tor relay, and then find some lawyers to help you
figure out how to notify the world safely.
> Plus, there's still a chance the german Supreme Court
> (Bundesverfassungsgericht) will stop this law before the end of next
> year. The lawsuit is under way...
Good luck!
--Roger
More information about the tor-talk
mailing list