[tor-talk] Please Remove Tor bridge and... from Censorship countries.

Seth David Schoen schoen at eff.org
Sun Nov 6 06:36:36 UTC 2016 

Jason Long writes:

> Hello Tor Developers and administrator.The Tor goal is provide Secure web surfing as free and Freedom but unfortunately some countries like Iran, China, North Korea and... Launch Tor bridges for spying on users and sniff their traffics and it is so bad and decrease Tor users and security. If Tor Project goal is Freedom and Anti Censorship then it must ban all bridges and Servers from those countries. Please consider it and do a serious job.

Tor's approach to this issue is generally to look for ever-greater
geographic diversity of servers.

The Tor design assumes that there could be monitoring of servers in a
particular network, but hopes that this won't be a big problem because
most organizations monitoring Tor nodes can only see a part of the
overall network.  In that case, they can hopefully only see a part of
the path that a particular user's traffic takes, so they may not know
where the user is and also whom the user is communicating with (though
they might know one or the other).

In this model, it's not necessarily bad to have nodes on networks that
are hostile -- because the people doing the monitoring get incomplete
information.  At the same time, having nodes in many places can decrease
how complete a picture any one network operator or government can get.
For example, suppose that the U.S. government, the Chinese government,
and the Iranian government are all trying to spy on Tor users whose
traffic passes through their territory, but the governments don't directly
cooperate with each other.  In that case, having a user use nodes in all
3 jurisdictions is probably great for anonymity because each jurisdiction
to some extent protects facts about the user's activity from the other
jurisdictions, and it's hard for anyone to put the whole picture together.

If people want to hide the fact that they're using Tor at all, and are
using bridges for that reason, they probably should not use bridges
inside their own country.  But those bridges could be useful to people
in other countries who aren't trying to hide from the same adversary.

If an exit node is unable to reach a lot of network resources because
of censorship on the network where it's located, it should be possible
to detect this through scanning and flag it as a BadExit so that clients
will avoid using it in that role.

There's still a problem when network operators pool their information or
when governments can monitor networks outside of their own territory.
This is a practical problem for path selection and also for assessing
how much privacy Tor can actually provide against a particular adversary.
For instance, if the U.K. government taps enough of the world's Internet
links, or trades data about Tor users with other governments, it might
be able to learn a lot about a high fraction of Tor users even if they
don't use nodes that are in the U.K.  That could be hard to fix without
adopting a different anonymity design or finding a way to prevent these
taps and exchanges of data.

People have been thinking about that kind of issue quite a bit, like in

https://www.nrl.navy.mil/itd/chacs/biblio/users-get-routed-traffic-correlation-tor-realistic-adversaries

and other research projects, and to my mind the news isn't necessarily
that good.  But the key point is that having nodes on an unfriendly
network isn't necessarily bad in itself unless that network actually
sees interesting data as a result (or actively disrupts traffic in a way
that doesn't get blacklisted from clients' path selection).  And that can
sometimes happen, but doesn't always have to happen, and people on other
networks can still get a potential privacy or anticensorship benefit in
the meantime.

Notice that this argument doesn't depend on saying that what governments
are doing is OK, or that they don't have ill will toward the Tor network
or particular Tor users.  It also doesn't prove that governments will
fail to monitor the network; there's a lot of uncertainty about how
effective governments' capabilities in this area are.

Finally, there's an issue about identifying which nodes are secretly
run by the same organizations (or secretly monitored by the same
organizations!) which fail to admit it.  This is a form of Sybil attack,
where one entity pretends to be many different entities.  If a government
set up many ostensibly unrelated nodes, and clients believed they were
actually unrelated, it would increase the chance that a given Tor user
used several of those nodes for the same circuit, decreasing anonymity.
Tor can probably do better about detecting this.  It's not certain that
blacklisting countries would help much with this, because we don't know
which governments are attempting this to what degrees, and because they
don't have to host their nodes on IP addresses in their own jurisdiction!
If the North Korean government wants to do this sort of attack, it can
pay to set up a bunch of servers in France and Germany, which users and
their Tor clients would think are "French" or "German" but which are
effectively North Korean for surveillance purposes.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the tor-talk mailing list