Roger Dingledine commited on 2005-09-25 00:03:25
Zeige 1 geänderte Dateien mit 20 Einfügungen und 4 Löschungen.
... | ... |
@@ -252,6 +252,16 @@ much traffic of what sort of distribution is needed before the adversary |
252 | 252 |
is confident he has won? Are there scenarios (e.g. not transmitting much) |
253 | 253 |
that slow down the attack? Do some traffic padding or traffic shaping |
254 | 254 |
schemes work better than others?</li> |
255 |
+<li>The "run two servers and wait attack": Tor clients pick a new path |
|
256 |
+periodically. If the adversary runs an entry and an exit, eventually some |
|
257 |
+Alice will build a circuit that begins and ends with his nodes. The |
|
258 |
+current Tor threat model assumes the end-to-end traffic confirmation attack |
|
259 |
+is trivial, and instead aims to limit the chance that the adversary will |
|
260 |
+be able to see both sides of a circuit. One way to help this is |
|
261 |
+<a href="http://freehaven.net/anonbib/#wright03">helper |
|
262 |
+nodes</a> -- Alice picks a small set of entry nodes and uses them always. |
|
263 |
+But in reality, Tor nodes disappear sometimes. So it would seem that the |
|
264 |
+attack continues, albeit slower than before. How much slower?</li> |
|
255 | 265 |
<li>The "routing zones attack": most of the literature thinks of |
256 | 266 |
the network path between Alice and her entry node (and between the |
257 | 267 |
exit node and Bob) as a single link on some graph. In practice, |
... | ... |
@@ -262,7 +272,6 @@ Unfortunately, to accurately predict whether a given Alice, entry, |
262 | 272 |
exit, Bob quad will be dangerous, we need to download an entire Internet |
263 | 273 |
routing zone and perform expensive operations on it. Are there practical |
264 | 274 |
approximations, such as avoiding IP addresses in the same /8 network?</li> |
265 |
-<!--<li>Find ideal churn rate for helper nodes; how safe is it?</li> --> |
|
266 | 275 |
<li>Tor doesn't work very well when servers have asymmetric bandwidth |
267 | 276 |
(e.g. cable or DSL). Because Tor has separate TCP connections between |
268 | 277 |
each hop, if the incoming bytes are arriving just fine and the outgoing |
... | ... |
@@ -292,9 +301,16 @@ nodes.) But how do we distribute a list of these volunteer clients to the |
292 | 301 |
good dissidents in an automated way that doesn't let the country-level |
293 | 302 |
firewalls intercept and enumerate them? Probably needs to work on a |
294 | 303 |
human-trust level.</li> |
295 |
-<!-- <li>Is exiting from the middle of the circuit always a bad idea?</li> |
|
296 |
-<li>It's not that hard to DoS Tor servers or dirservers. Are puzzles the |
|
297 |
-right answer? What other practical approaches are there?</li> --> |
|
304 |
+<li>Tor circuits are built one hop at a time, so in theory we have the |
|
305 |
+ability to make some streams exit from the second hop, some from the |
|
306 |
+third, and so on. This seems nice because it breaks up the set of exiting |
|
307 |
+streams that a given server can see. But if we want each stream to be safe, |
|
308 |
+the "shortest" path should be at least 3 hops long by our current logic, so |
|
309 |
+the rest will be even longer. We need to examine this performance / security |
|
310 |
+tradeoff.</li> |
|
311 |
+<li>It's not that hard to DoS Tor servers or dirservers. Are client |
|
312 |
+puzzles the right answer? What other practical approaches are there? Bonus |
|
313 |
+if they're backward-compatible with the current Tor protocol.</li> |
|
298 | 314 |
</ol> |
299 | 315 |
|
300 | 316 |
Drop by the #tor IRC channel at irc.oftc.net or email tor-volunteer@freehaven.net if you want to help out! |
301 | 317 |