[tor-talk] Network diversity [was: Should I warn against Tor?]

Jens Lechtenboerger tortalk at informationelle-selbstbestimmung-im-internet.de
Sat Jul 20 12:31:12 UTC 2013 

On Sa, Jul 20 2013, Jens Lechtenboerger wrote: 
 
> On Fr, Jul 19 2013, Gregory Maxwell wrote: 
> 
>> On Fri, Jul 19, 2013 at 10:03 AM, Jens Lechtenboerger 
>> <tortalk at informationelle-selbstbestimmung-im-internet.de> 
>> wrote: 
>>>> but going much further than that may well decrease your 
>>>> security. 
>>> 
>>> How, actually?  I’m aware that what I’m doing is a departure 
>>> from network diversity to obtain anonymity.  I’m excluding 
>>> what I consider unsafe based on my current understanding.  It 
>>> might be that in the end I’ll be unable to find anything that 
>>> does not look unsafe to me.  I don’t know what then. 
>> 
>> Because you're lowering the entropy of the nodes you are 
>> selecting maybe all the hosts themselves are simply NSA 
>> operated, or if not now, they be a smaller target to 
>> compromise. 
> 
> I don’t buy the entropy argument.  If the NSA compromises Tor 
> nodes, wouldn’t they target as many nodes as possible, 
> regardless of guard selection strategies? 
> 
> Note that I’m avoiding guards that they can monitor without 
> having compromised them. 
 
Let me expand upon that one.   Actually, I’d like to consider two 
aspects separately: First, nodes may or may not be compromised. 
If they are, they should not be used by anyone.  Usually, we don’t 
know, so we select randomly.  Of course, everybody may have more 
or less reason to trust individual operators or not—my previous 
posts are unrelated to such reasoning.   Second, the *path* to a 
node may or may not be compromised.  Depending on where you live 
and where you connect to the Internet, different expectations 
apply.  This is the case I’m talking about.  If I expect a path to 
be compromised then I don’t want to use entry nodes that must use 
that path.  I don’t care whether those nodes are compromised or 
not, they are out of scope.  Note that based on this criterion, 
I’m probably using different guard nodes when I connect to the 
Internet
from different places.

To sum up: One-size-fits-all is not the best approach for node
selection.

So far, I’ve been arguing from a German perspective.  Let’s change
that.

Assume that you live under an oppressive regime that monitors
everything in your own country, and you use Tor to anonymize your
communication.  You must make sure that you always communicate via
foreign servers with your compatriots; otherwise, both ends of the
torified traffic are monitored in your country, and Tor fails.
You cannot avoid that your communication with your entry guard is
stored and analyzed.  Now, if Tor’s standard path selection ever
chooses an exit node in your own country then also the exit’s
communication is stored and analyzed, and Tor fails.  Thus, you must
avoid national exits.  And you must avoid foreign exits with boomerang
routes into your own country.  (It’s less obvious whether you should
avoid national guards.  Although those are monitored in your country
they offer protection against foreign adversaries if you care about
them.)

Finally, if you did not do so already ;) please re-read the previous
paragraph and pretend that I wrote “democratic government” instead of
“oppressive regime.”

One-size-fits-all is not the best approach for node selection.

Best wishes
Jens

More information about the tor-talk mailing list