all traffic through a VPN on top of tor, done!

[John Case]

On Fri, 13 Nov 2009, Paul Syverson wrote:

>> But lets say one sets up X Tor nodes in X different locales and configure
>> my Tor to use one of those X for my entry, and one of those X for my exit
>> ... I'm still throttled by my middle hop, but the odds are much higher in
>> my favor, and I may only need to rebuild my connection once or twice to get
>> an acceptable speed.
>
> Ignoring what the underlying network can observe, the value to having
> three hops is that the first and last ones don't know about each other
> directly (so immediately know who to attack to completely deanonymize
> a connection; they instead need to iterate such an attack). But if you
> enter and leave the network via nodes you control, the only thing you
> are getting from adding a "public" hop in the middle is a greater
> chance of an adversary observing you. The problem with your design is
> that if anyone discovers the nodes are under your control, then things
> emerging from/entering them will be suspected of being associated with
> you. (It was similar considerations that led us to recommend even in
> the onion routing designs that predated Tor that the network not just
> be run by/for the DoD.) Worse still, if you add just a middle hop that
> is not yours, you make things worse, not better. Any time it is you
> going to a destination observed by your adversary and via a middle hop
> owned by the adversary, he will be right in guessing the connection is
> more likely to be yours than are arbitrary connections through the
> network. He will get this without needing to see your entry connection
> into the network.


Ok, that is perfectly sensible.  My immediate thought, however, is "if all 
X of my nodes are in different locales (US, Canada, CH, DE, NZ, whatever) 
wouldn't this correlation be awfully difficult, especially if service is 
not directly under my name (company front, straw man purchase, fake signup 
name, etc. ?)"

It's just a thought - I realize your problem is the real-world assurances 
that people need when they are really under survelliance, and not some 
rich white guys IT hobby.


>> The question is, what values of X are required in order for correlation,
>> etc., to not be laughable ?
>>
>> (the assumption here is that I put my X Tor nodes on the actual Tor
>> network, but reserve some percentage of their bandwidth exclusively for my
>> own use ... so they look and act like actual Tor nodes ...)
>
> These are tricky questions, and we are doing ongoing research about it
> now. An initial result we have is not quite to answer this question
> but instead to look at how you should do routing to avoid compromised
> entry and exit nodes if you trust some nodes more than others and
> where the difference in trust and percentage of trusted and untrusted
> nodes are input parameters. Published in the IEEE Computer Security
> Foundations Symposium, cf.
> www.cs.yale.edu/~amj37/publications/trusted_sets-csf09.pdf
>
> I think I will have a better, but not complete answer, to questions
> closer to yours within several months. But it will involve some
> complicated analysis. For now, I suggest you follow Andrew's
> advice---or just take your risk if speed matters more than security
> for you. But know then that you are entering uncharted and especially
> ill-understood waters and that any guesses you might have for X (or
> even that this is the right question) are likely to be wrong, and you
> really will have no idea what kind of protection you are getting.


Thanks very much for a very helpful reply - I appreciate it.  It will be 
interesting if you conclude that X is larger than (the current size of the 
public Tor network)  :)
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/