more updates on the 'change your path length' faq entry
Roger Dingledine commited on 2014-07-12 12:54:19
Zeige 1 geänderte Dateien mit 12 Einfügungen und 7 Löschungen.
- docs/en/faq.wml 408938060..e15d22cf3
| ... | ... |
@@ -4232,21 +4232,24 @@ their path length.</a></h3> |
| 4232 | 4232 |
example if you're accessing a hidden service or a ".exit" address it could be 4. |
| 4233 | 4233 |
</p> |
| 4234 | 4234 |
<p> |
| 4235 |
- We don't want to encourage people to use paths longer than this -- it |
|
| 4235 |
+ We don't want to encourage people to use paths longer than this — it |
|
| 4236 | 4236 |
increases load on the network without (as far as we can tell) providing |
| 4237 |
- any more security. In fact, using paths longer than 3 could harm anonymity |
|
| 4238 |
- ("Oh, there's that person who changed her path length again"). Remember that
|
|
| 4237 |
+ any more security. Remember that |
|
| 4239 | 4238 |
<a href="https://svn.torproject.org/svn/tor/trunk/doc/design-paper/tor-design.html#subsec:threat-model"> |
| 4240 | 4239 |
the best way to attack Tor is to attack the endpoints and ignore the middle |
| 4241 | 4240 |
of the path</a>. |
| 4241 |
+ Also, using paths longer than 3 could harm anonymity, first because |
|
| 4242 |
+ it makes <a href="http://freehaven.net/anonbib/#ccs07-doa">"denial of |
|
| 4243 |
+ security"</a> attacks easier, and second because it could act as an |
|
| 4244 |
+ identifier if only a few people do it ("Oh, there's that person who
|
|
| 4245 |
+ changed her path length again"). |
|
| 4242 | 4246 |
</p> |
| 4243 | 4247 |
<p> |
| 4244 | 4248 |
And we don't want to encourage people to use paths of length 1 either. |
| 4245 | 4249 |
Currently there is no reason to suspect that investigating a single |
| 4246 | 4250 |
relay will yield user-destination pairs, but if many people are using |
| 4247 | 4251 |
only a single hop, we make it more likely that attackers will seize or |
| 4248 |
- break into relays in hopes |
|
| 4249 |
- of tracing users. |
|
| 4252 |
+ break into relays in hopes of tracing users. |
|
| 4250 | 4253 |
</p> |
| 4251 | 4254 |
<p> |
| 4252 | 4255 |
Now, there is a good argument for making the number of hops in a path |
| ... | ... |
@@ -4255,8 +4258,10 @@ their path length.</a></h3> |
| 4255 | 4258 |
for sure which entry node you used. Choosing path length from, say, |
| 4256 | 4259 |
a geometric distribution will turn this into a statistical attack, |
| 4257 | 4260 |
which seems to be an improvement. On the other hand, a longer path |
| 4258 |
- length is bad for usability. We're not sure of the right trade-offs |
|
| 4259 |
- here. Please write a research paper that tells us what to do. |
|
| 4261 |
+ length is bad for usability, and without further protections it seems |
|
| 4262 |
+ likely that an adversary can estimate your path length anyway. We're |
|
| 4263 |
+ not sure of the right trade-offs here. Please write a research paper |
|
| 4264 |
+ that tells us what to do. |
|
| 4260 | 4265 |
</p> |
| 4261 | 4266 |
|
| 4262 | 4267 |
<hr> |
| 4263 | 4268 |