Commercial tor offering?

Arrakis arrakistor at gmail.com
Fri Dec 5 20:53:59 UTC 2008


Robert,

> At first glance your statement above could be taken to suggest that Onyx 
> provides provably better anonymity than Tor. A second reading suggests 
> that you are merely claiming Onyx deploys additional techniques that are 
> regularly investigated for their anonymity properties, while at the same 
> time overcoming certain attacks that Tor is still susceptible to.

As there is no metric for measuring anonymity, it would be accurate to say
that it is not going to be provable. What we can do is say such a property
reasonably appears to exist, and make our determinations from there.

> Would you agree that:
> 
> - Onyx has not been the subject of independent analysis thus far, so its 
> anonymity properties are an open question.

One problem with the idea of "independent analysis" when applied to
technology,  is that it requires that there is an independent analyst with
equivalent or superior knowledge to the system provider and tools with
which to measure a test, and a metric for measurement. Anything less and
you end up with an estimation that is less matched to the analyst's
ability, and more synchronized to the analyst himself.

If you are providing a system with young technologies implemented in a
unique manner, you are unlikely to find an independent analyst with
mastery in these implementations, or the ability to test, much less
measure the veracity of such claims. The use of independent analysis will
probably come down to warm fuzzies regarding your trust of the reputation
/ authority of the analyst, instead of measurement of the system itself.
Even then, he can only say at best that it *appears* to have these
properties.

However, logically it is possible to disprove claims. If we could agree
on the mastery of the analyst, and his/her independence, then I don't see
why we wouldn't allow such attempts.

Unfortunately, the best possible result you can hope for from the analyst
is "I couldn't break the system, it appears to be what is purports" which
isn't going to be an affirmative response, and would be the same response
given by any less-than-qualified analyst.

This is where we get back to needing a metric to measure anonymity,
otherwise we are snipe-hunting for warm fuzzies. Would you agree?

> - Some of the features you describe are not proven to provide better 
> anonymity (e.g. traffic padding).

As there is no metric of measuring anonymity, it would be a moot point
to say there is a technically "better" anonymity. What we can say is this
provides what appears to be better anonymity because of a sound design.

In this specific instance, the matter is that padding increases the
opacity of the context of a transmission. This generally assumes that the
less accurate data an adversary has to perform traffic analysis, the
weaker the signal intelligence and thus the better the anonymity will be.

Perhaps an analogy would be two gifts under a Christmas tree. One is
shrink-wrapped and you can clearly see the outline of the object and the
other is padded in a box. To a casual observer, I could estimate that it
is easier to determine the contents of the shrink-wrapped item rather
than the item in the box. Probably not the best analogy, but just at the
top of the mind.

> - Onyx's immunity to sybil attacks and exit node injection is not explicit 
> in its design. This immunity depends on the behaviour of the network 
> operators.

That is correct, we verify the integrity of the nodes and extend
commensurate trust to the operators of those nodes, which is based
on a reputation system. A pertinent difference is that operators do not
volunteer, they are only invited, so there is little opportunity for
malicious nodes.

> - Are there plans afoot to open Onyx to independent investigation without 
> becoming a paying customer? Does the design of the Onyx network allow such 
> investigation?

If a metric for measuring anonymity is established, I think we would
gladly welcome such an investigation.

> - Isn't the use of a small number of privately, centrally owned servers to 
> provide an anonymity network inherently problematic? Doesn't the anonymity 
> of the client on such a network depend almost completely on the integrity 
> of the network operator (i.e. xerobank)?

The network node ownership and operation is completely decentralized and
distributed. Nodes are owned and operated by different corporations in
unique jurisdictions, differing from the location of the nodes they operate.

> Apologies if some of my questions/assumptions above could be answered or 
> contradicted by reading the whitepaper in full, but I'm sure they 
> represent the sentiments of many readers on this list who are a little 
> skeptical of what kind of beast Onyx actually is but aren't prepared to 
> analyse it in any depth. This would certainly be a good opportunity for 
> clearing such matters up with or-talk cynics such as myself.

It's my pleasure. These are complicated subjects to say the least.

Steve



More information about the tor-talk mailing list