one pony is not enough.
Roger Dingledine commited on 2005-09-25 00:03:25
Zeige 1 geänderte Dateien mit 20 Einfügungen und 4 Löschungen.
- volunteer.html 0767b8870..932ad364d
| ... | ... |
@@ -252,6 +252,16 @@ much traffic of what sort of distribution is needed before the adversary |
| 252 | 252 |
is confident he has won? Are there scenarios (e.g. not transmitting much) |
| 253 | 253 |
that slow down the attack? Do some traffic padding or traffic shaping |
| 254 | 254 |
schemes work better than others?</li> |
| 255 |
+<li>The "run two servers and wait attack": Tor clients pick a new path |
|
| 256 |
+periodically. If the adversary runs an entry and an exit, eventually some |
|
| 257 |
+Alice will build a circuit that begins and ends with his nodes. The |
|
| 258 |
+current Tor threat model assumes the end-to-end traffic confirmation attack |
|
| 259 |
+is trivial, and instead aims to limit the chance that the adversary will |
|
| 260 |
+be able to see both sides of a circuit. One way to help this is |
|
| 261 |
+<a href="http://freehaven.net/anonbib/#wright03">helper |
|
| 262 |
+nodes</a> -- Alice picks a small set of entry nodes and uses them always. |
|
| 263 |
+But in reality, Tor nodes disappear sometimes. So it would seem that the |
|
| 264 |
+attack continues, albeit slower than before. How much slower?</li> |
|
| 255 | 265 |
<li>The "routing zones attack": most of the literature thinks of |
| 256 | 266 |
the network path between Alice and her entry node (and between the |
| 257 | 267 |
exit node and Bob) as a single link on some graph. In practice, |
| ... | ... |
@@ -262,7 +272,6 @@ Unfortunately, to accurately predict whether a given Alice, entry, |
| 262 | 272 |
exit, Bob quad will be dangerous, we need to download an entire Internet |
| 263 | 273 |
routing zone and perform expensive operations on it. Are there practical |
| 264 | 274 |
approximations, such as avoiding IP addresses in the same /8 network?</li> |
| 265 |
-<!--<li>Find ideal churn rate for helper nodes; how safe is it?</li> --> |
|
| 266 | 275 |
<li>Tor doesn't work very well when servers have asymmetric bandwidth |
| 267 | 276 |
(e.g. cable or DSL). Because Tor has separate TCP connections between |
| 268 | 277 |
each hop, if the incoming bytes are arriving just fine and the outgoing |
| ... | ... |
@@ -292,9 +301,16 @@ nodes.) But how do we distribute a list of these volunteer clients to the |
| 292 | 301 |
good dissidents in an automated way that doesn't let the country-level |
| 293 | 302 |
firewalls intercept and enumerate them? Probably needs to work on a |
| 294 | 303 |
human-trust level.</li> |
| 295 |
-<!-- <li>Is exiting from the middle of the circuit always a bad idea?</li> |
|
| 296 |
-<li>It's not that hard to DoS Tor servers or dirservers. Are puzzles the |
|
| 297 |
-right answer? What other practical approaches are there?</li> --> |
|
| 304 |
+<li>Tor circuits are built one hop at a time, so in theory we have the |
|
| 305 |
+ability to make some streams exit from the second hop, some from the |
|
| 306 |
+third, and so on. This seems nice because it breaks up the set of exiting |
|
| 307 |
+streams that a given server can see. But if we want each stream to be safe, |
|
| 308 |
+the "shortest" path should be at least 3 hops long by our current logic, so |
|
| 309 |
+the rest will be even longer. We need to examine this performance / security |
|
| 310 |
+tradeoff.</li> |
|
| 311 |
+<li>It's not that hard to DoS Tor servers or dirservers. Are client |
|
| 312 |
+puzzles the right answer? What other practical approaches are there? Bonus |
|
| 313 |
+if they're backward-compatible with the current Tor protocol.</li> |
|
| 298 | 314 |
</ol> |
| 299 | 315 |
|
| 300 | 316 |
Drop by the #tor IRC channel at irc.oftc.net or email tor-volunteer@freehaven.net if you want to help out! |
| 301 | 317 |