Browse code

more updates on the 'change your path length' faq entry

Roger Dingledine authored on 12/07/2014 12:54:19
Showing 1 changed files
... ...
@@ -4232,21 +4232,24 @@ their path length.</a></h3>
4232 4232
  example if you're accessing a hidden service or a ".exit" address it could be 4.
4233 4233
 </p>
4234 4234
 <p>
4235
- We don't want to encourage people to use paths longer than this -- it
4235
+ We don't want to encourage people to use paths longer than this &mdash; it
4236 4236
  increases load on the network without (as far as we can tell) providing
4237
- any more security. In fact, using paths longer than 3 could harm anonymity 
4238
- ("Oh, there's that person who changed her path length again"). Remember that 
4237
+ any more security. Remember that 
4239 4238
 <a href="https://svn.torproject.org/svn/tor/trunk/doc/design-paper/tor-design.html#subsec:threat-model">
4240 4239
  the best way to attack Tor is to attack the endpoints and ignore the middle
4241 4240
  of the path</a>.
4241
+ Also, using paths longer than 3 could harm anonymity, first because
4242
+ it makes <a href="http://freehaven.net/anonbib/#ccs07-doa">"denial of
4243
+ security"</a> attacks easier, and second because it could act as an
4244
+ identifier if only a few people do it ("Oh, there's that person who
4245
+ changed her path length again").
4242 4246
 </p>
4243 4247
 <p>
4244 4248
  And we don't want to encourage people to use paths of length 1 either.
4245
- Currently  there is no reason to suspect that investigating a single
4246
- relay will yield  user-destination pairs, but if many people are using
4249
+ Currently there is no reason to suspect that investigating a single
4250
+ relay will yield user-destination pairs, but if many people are using
4247 4251
  only a single hop, we make it more likely that attackers will seize or
4248
- break into relays in hopes
4249
- of tracing users.
4252
+ break into relays in hopes of tracing users.
4250 4253
 </p>
4251 4254
 <p>
4252 4255
  Now, there is a good argument for making the number of hops in a path
... ...
@@ -4255,8 +4258,10 @@ their path length.</a></h3>
4255 4258
  for sure which entry node you used. Choosing path length from, say,
4256 4259
  a geometric distribution will turn this into a statistical attack,
4257 4260
  which seems to be an improvement. On the other hand, a longer path
4258
- length is bad for usability. We're not sure of the right trade-offs
4259
- here. Please write a research paper that tells us what to do.
4261
+ length is bad for usability, and without further protections it seems
4262
+ likely that an adversary can estimate your path length anyway. We're
4263
+ not sure of the right trade-offs here. Please write a research paper
4264
+ that tells us what to do.
4260 4265
 </p>
4261 4266
 
4262 4267
     <hr>