mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 02:09:24 +01:00
more fixes. i declare this the first draft.
svn:r3598
This commit is contained in:
parent
aca8c362bf
commit
e3266768f4
@ -1,16 +1,14 @@
|
||||
\documentclass{llncs}
|
||||
% XXXX NM: Fold ``bandwidth and usability'' into ``Tor and file-sharing'' --
|
||||
% ``bandwidth and file-sharing''.
|
||||
|
||||
\usepackage{url}
|
||||
\usepackage{amsmath}
|
||||
\usepackage{epsfig}
|
||||
|
||||
\setlength{\textwidth}{6.1in}
|
||||
\setlength{\textheight}{8.5in}
|
||||
\setlength{\topmargin}{1cm}
|
||||
\setlength{\oddsidemargin}{.5cm}
|
||||
\setlength{\evensidemargin}{.5cm}
|
||||
\setlength{\textwidth}{5.9in}
|
||||
\setlength{\textheight}{8.4in}
|
||||
\setlength{\topmargin}{.5cm}
|
||||
\setlength{\oddsidemargin}{1cm}
|
||||
\setlength{\evensidemargin}{1cm}
|
||||
|
||||
\newenvironment{tightlist}{\begin{list}{$\bullet$}{
|
||||
\setlength{\itemsep}{0mm}
|
||||
@ -122,7 +120,7 @@ giving an effective vector for physical or online attackers.
|
||||
Tor provides these protections even when a portion of its
|
||||
infrastructure is compromised.
|
||||
|
||||
To connect to a remove server via Tor, the client software learns a signed
|
||||
To connect to a remote server via Tor, the client software learns a signed
|
||||
list of Tor nodes from one of several central \emph{directory servers}, and
|
||||
incrementally creates a private pathway or \emph{circuit} of encrypted
|
||||
connections through authenticated Tor nodes on the network, negotiating a
|
||||
@ -373,10 +371,10 @@ eavesdropper can perform traffic analysis on the entire network.
|
||||
%financial health as well as network security.
|
||||
The Java
|
||||
Anon Proxy~\cite{web-mix} provides similar functionality to Tor but
|
||||
handles only web browsing rather than arbitrary TCP\@.
|
||||
handles only web browsing rather than all TCP\@.
|
||||
%Some peer-to-peer file-sharing overlay networks such as
|
||||
%Freenet~\cite{freenet} and Mute~\cite{mute}
|
||||
Zero-Knowledge Systems' commercial Freedom
|
||||
Zero-Knowledge Systems' Freedom
|
||||
network~\cite{freedom21-security} was even more flexible than Tor in
|
||||
transporting arbitrary IP packets, and also supported
|
||||
pseudonymity in addition to anonymity; but it has
|
||||
@ -387,7 +385,7 @@ more scalable peer-to-peer designs like Tarzan~\cite{tarzan:ccs02} and
|
||||
MorphMix~\cite{morphmix:fc04} have been proposed in the literature, but
|
||||
have not been fielded. These systems differ somewhat
|
||||
in threat model and presumably practical resistance to threats.
|
||||
Note that MorphMix and Tor differ only in
|
||||
Note that MorphMix differs from Tor only in
|
||||
node discovery and circuit setup; so Tor's architecture is flexible
|
||||
enough to contain a MorphMix experiment.
|
||||
We direct the interested reader
|
||||
@ -461,7 +459,7 @@ attacks, because its network has fewer edges. JAP was born out of
|
||||
the ISDN mix design~\cite{isdn-mixes}, where padding made sense because
|
||||
every user had a fixed bandwidth allocation and altering the timing
|
||||
pattern of packets could be immediately detected. But in its current context
|
||||
as a general Internet web anonymizer, adding sufficient padding to JAP
|
||||
as an Internet web anonymizer, adding sufficient padding to JAP
|
||||
would probably be prohibitively expensive and ineffective against a
|
||||
minimally active attacker.\footnote{Even if JAP could
|
||||
fund higher-capacity nodes indefinitely, our experience
|
||||
@ -621,7 +619,7 @@ any anonymizing network: their intensive bandwidth requirement, and the
|
||||
degree to which they are associated (correctly or not) with copyright
|
||||
infringement.
|
||||
|
||||
As noted above, high-bandwidth protocols can make the network unresponsive,
|
||||
High-bandwidth protocols can make the network unresponsive,
|
||||
but tend to be somewhat self-correcting as lack of bandwidth drives away
|
||||
users who need it. Issues of copyright violation,
|
||||
however, are more interesting. Typical exit node operators want to help
|
||||
@ -636,7 +634,7 @@ So when letters arrive, operators are likely to face
|
||||
pressure to block file-sharing applications entirely, in order to avoid the
|
||||
hassle.
|
||||
|
||||
But blocking file-sharing is not easy: many popular
|
||||
But blocking file-sharing is not easy: popular
|
||||
protocols have evolved to run on non-standard ports to
|
||||
get around other port-based bans. Thus, exit node operators who want to
|
||||
block file-sharing would have to find some way to integrate Tor with a
|
||||
@ -726,20 +724,20 @@ nodes, open proxies, and service abusers, these systems hope to make
|
||||
ongoing abuse difficult. Although the system is imperfect, it works
|
||||
tolerably well for them in practice.
|
||||
|
||||
But of course, we would prefer that legitimate anonymous users be able to
|
||||
access abuse-prone services. One conceivable approach would be to require
|
||||
Of course, we would prefer that legitimate anonymous users be able to
|
||||
access abuse-prone services. One conceivable approach would require
|
||||
would-be IRC users, for instance, to register accounts if they want to
|
||||
access the IRC network from Tor. In practice this would not
|
||||
significantly impede abuse if creating new accounts were easily automatable;
|
||||
this is why services use IP blocking. To deter abuse, pseudonymous
|
||||
identities need to require a significant switching cost in resources or human
|
||||
time. Some popular webmail applications
|
||||
impose cost with Reverse Turing Tests, but these may not be costly enough to
|
||||
deter abusers. Freedom used blind signatures to limit
|
||||
impose cost with Reverse Turing Tests, but this step may not deter all
|
||||
abusers. Freedom used blind signatures to limit
|
||||
the number of pseudonyms for each paying account, but Tor has neither the
|
||||
ability nor the desire to collect payment.
|
||||
|
||||
We stress that as far as we can tell, most Tor uses so far are not
|
||||
We stress that as far as we can tell, most Tor uses are not
|
||||
abusive. Most services have not complained, and others are actively
|
||||
working to find ways besides banning to cope with the abuse. For example,
|
||||
the Freenode IRC network had a problem with a coordinated group of
|
||||
@ -891,8 +889,8 @@ prevent individual machines within the enclave from running Tor
|
||||
clients~\cite{or-jsac98,or-discex00}.
|
||||
|
||||
Of course, Tor's default path length of
|
||||
three is insufficient for these enclaves, since the entry and/or exit
|
||||
themselves are sensitive. Tor thus increments the path length by one
|
||||
three is insufficient for these enclaves, since the entry or exit
|
||||
themselves are sensitive. Tor thus increments path length by one
|
||||
for each sensitive endpoint in the circuit.
|
||||
Enclaves also help to protect against end-to-end attacks, since it's
|
||||
possible that traffic coming from the node has simply been relayed from
|
||||
@ -1208,49 +1206,47 @@ further study.
|
||||
\subsection{Trust and discovery}
|
||||
\label{subsec:trust-and-discovery}
|
||||
|
||||
The published Tor design adopted a deliberately simplistic design for
|
||||
The published Tor design uses a deliberately simplistic design for
|
||||
authorizing new nodes and informing clients about Tor nodes and their status.
|
||||
In preliminary Tor designs, all nodes periodically uploaded a
|
||||
signed description
|
||||
All nodes periodically upload a signed description
|
||||
of their locations, keys, and capabilities to each of several well-known {\it
|
||||
directory servers}. These directory servers constructed a signed summary
|
||||
directory servers}. These directory servers construct a signed summary
|
||||
of all known Tor nodes (a ``directory''), and a signed statement of which
|
||||
nodes they
|
||||
believed to be operational at any given time (a ``network status''). Clients
|
||||
periodically downloaded a directory to learn the latest nodes and
|
||||
keys, and more frequently downloaded a network status to learn which nodes were
|
||||
believe to be operational then (a ``network status''). Clients
|
||||
periodically download a directory to learn the latest nodes and
|
||||
keys, and more frequently download a network status to learn which nodes are
|
||||
likely to be running. Tor nodes also operate as directory caches, to
|
||||
lighten the bandwidth on the authoritative directory servers.
|
||||
lighten the bandwidth on the directory servers.
|
||||
|
||||
In order to prevent Sybil attacks (wherein an adversary signs up many
|
||||
purportedly independent nodes to increase her chances of observing
|
||||
a stream as it enters and leaves the network), the early Tor directory design
|
||||
required the operators of the authoritative directory servers to manually
|
||||
approve new nodes. Unapproved nodes were included in the directory,
|
||||
To prevent Sybil attacks (wherein an adversary signs up many
|
||||
purportedly independent nodes to increase her network view),
|
||||
this design
|
||||
requires the directory server operators to manually
|
||||
approve new nodes. Unapproved nodes are included in the directory,
|
||||
but clients
|
||||
did not use them at the start or end of their circuits. In practice,
|
||||
directory administrators performed little actual verification, and tended to
|
||||
approve any Tor node whose operator could compose a coherent email.
|
||||
do not use them at the start or end of their circuits. In practice,
|
||||
directory administrators perform little actual verification, and tend to
|
||||
approve any Tor node whose operator can compose a coherent email.
|
||||
This procedure
|
||||
may have prevented trivial automated Sybil attacks, but would do little
|
||||
may prevent trivial automated Sybil attacks, but will do little
|
||||
against a clever and determined attacker.
|
||||
|
||||
There are a number of flaws in this system that need to be addressed as we
|
||||
move forward. They include:
|
||||
\begin{tightlist}
|
||||
\item Each directory server represents an independent point of failure; if
|
||||
any one were compromised, it could immediately compromise all of its users
|
||||
by recommending only compromised nodes.
|
||||
\item The more nodes join the network, the more unreasonable it
|
||||
becomes to expect clients to know about them all. Directories
|
||||
become infeasibly large, and downloading the list of nodes becomes
|
||||
burdensome.
|
||||
\item The validation scheme may do as much harm as it does good. It is not
|
||||
only incapable of preventing clever attackers from mounting Sybil attacks,
|
||||
but may deter node operators from joining the network. (For instance, if
|
||||
they expect the validation process to be difficult, or if they do not share
|
||||
any languages in common with the directory server operators.)
|
||||
\end{tightlist}
|
||||
move forward. First,
|
||||
each directory server represents an independent point of failure: any
|
||||
compromised directory server could start recommending only compromised
|
||||
nodes.
|
||||
Second, as more nodes join the network, %the more unreasonable it
|
||||
%becomes to expect clients to know about them all.
|
||||
directories
|
||||
become infeasibly large, and downloading the list of nodes becomes
|
||||
burdensome.
|
||||
Third, the validation scheme may do as much harm as it does good. It not
|
||||
only can't prevent clever attackers from mounting Sybil attacks,
|
||||
but it may deter node operators from joining the network, if
|
||||
they expect the validation process to be difficult, or they do not share
|
||||
any languages in common with the directory server operators.
|
||||
|
||||
We could try to move the system in several directions, depending on our
|
||||
choice of threat model and requirements. If we did not need to increase
|
||||
@ -1261,18 +1257,17 @@ But, we can only do that if can simultaneously make node capacity
|
||||
scale much more than we anticipate to be feasible soon, and if we can find
|
||||
entities willing to run such nodes, an equally daunting prospect.
|
||||
|
||||
|
||||
In order to address the first two issues, it seems wise to move to a system
|
||||
including a number of semi-trusted directory servers, no one of which can
|
||||
compromise a user on its own. Ultimately, of course, we cannot escape the
|
||||
problem of a first introducer: since most users will run Tor in whatever
|
||||
configuration the software ships with, the Tor distribution itself will
|
||||
remain a potential single point of failure so long as it includes the seed
|
||||
remain a single point of failure so long as it includes the seed
|
||||
keys for directory servers, a list of directory servers, or any other means
|
||||
to learn which nodes are on the network. But omitting this information
|
||||
from the Tor distribution would only delegate the trust problem to the
|
||||
individual users, most of whom are presumably less informed about how to make
|
||||
trust decisions than the Tor developers.
|
||||
from the Tor distribution would only delegate the trust problem to each
|
||||
individual user. %, most of whom are presumably less informed about how to make
|
||||
%trust decisions than the Tor developers.
|
||||
|
||||
%Network discovery, sybil, node admission, scaling. It seems that the code
|
||||
%will ship with something and that's our trust root. We could try to get
|
||||
@ -1310,20 +1305,19 @@ for views of a node's latency and/or bandwidth to vary wildly between
|
||||
observers. Further, it is unclear whether total bandwidth is really
|
||||
the right measure; perhaps clients should instead be considering nodes
|
||||
based on unused bandwidth or observed throughput.
|
||||
% XXXX say more here?
|
||||
|
||||
%How to measure performance without letting people selectively deny service
|
||||
%by distinguishing pings. Heck, just how to measure performance at all. In
|
||||
%practice people have funny firewalls that don't match up to their exit
|
||||
%policies and Tor doesn't deal.
|
||||
|
||||
%
|
||||
%Network investigation: Is all this bandwidth publishing thing a good idea?
|
||||
%How can we collect stats better? Note weasel's smokeping, at
|
||||
%http://seppia.noreply.org/cgi-bin/smokeping.cgi?target=Tor
|
||||
%which probably gives george and steven enough info to break tor?
|
||||
|
||||
Even if we can collect and use this network information effectively, we need
|
||||
to make sure that it is not more useful to attackers than to us. While it
|
||||
%
|
||||
And even if we can collect and use this network information effectively,
|
||||
we must ensure
|
||||
that it is not more useful to attackers than to us. While it
|
||||
seems plausible that bandwidth data alone is not enough to reveal
|
||||
sender-recipient connections under most circumstances, it could certainly
|
||||
reveal the path taken by large traffic flows under low-usage circumstances.
|
||||
@ -1331,24 +1325,27 @@ reveal the path taken by large traffic flows under low-usage circumstances.
|
||||
\subsection{Non-clique topologies}
|
||||
|
||||
Tor's comparatively weak threat model may allow easier scaling than
|
||||
other mix-net
|
||||
other
|
||||
designs. High-latency mix networks need to avoid partitioning attacks, where
|
||||
network splits let an attacker distinguish users in different partitions.
|
||||
Since Tor assumes the adversary cannot cheaply observe nodes at will,
|
||||
a network split may not decrease protection much.
|
||||
Thus, one option when the scale of a Tor network
|
||||
exceeds some size is simply to split it. Nodes could be allocated into
|
||||
partitions while hampering collobrating hostile nodes from taking over
|
||||
partitions while hampering collaborating hostile nodes from taking over
|
||||
a single partition~\cite{casc-rep}.
|
||||
Clients could switch between
|
||||
networks, even on a per-circuit basis. Future analysis may uncover
|
||||
other dangers beyond those affecting mix-nets.
|
||||
networks, even on a per-circuit basis.
|
||||
%Future analysis may uncover
|
||||
%other dangers beyond those affecting mix-nets.
|
||||
|
||||
More conservatively, we can try to scale a single Tor network. Potential
|
||||
More conservatively, we can try to scale a single Tor network. Likely
|
||||
problems with adding more servers to a single Tor network include an
|
||||
explosion in the number of sockets needed on each server as more servers
|
||||
join, and an increase in coordination overhead as keeping everyone's view of
|
||||
the network consistent becomes increasingly difficult.
|
||||
join, and increased coordination overhead to keep each users' view of
|
||||
the network consistent. As we grow, we will also have more instances of
|
||||
servers that can't reach each other simply due to Internet topology or
|
||||
routing problems.
|
||||
|
||||
%include restricting the number of sockets and the amount of bandwidth
|
||||
%used by each node. The number of sockets is determined by the network's
|
||||
@ -1369,9 +1366,7 @@ extend to Tor, which has a weaker threat model but higher performance
|
||||
requirements: instead of analyzing the
|
||||
probability of an attacker's viewing whole paths, we will need to examine the
|
||||
attacker's likelihood of compromising the endpoints.
|
||||
|
||||
% Nick edits these next 2 grafs.
|
||||
|
||||
%
|
||||
Tor may not need an expander graph per se: it
|
||||
may be enough to have a single subnet that is highly connected, like
|
||||
an internet backbone. % As an
|
||||
@ -1382,22 +1377,22 @@ an internet backbone. % As an
|
||||
%center and anyone out of the center that they want to. Then the
|
||||
%network easily scales to c. 2500 nodes with commensurate increase in
|
||||
%bandwidth.
|
||||
There are many open questions: how to distribute directory information
|
||||
(presumably information about the center nodes could
|
||||
be given to any new nodes with their codebase), whether center nodes
|
||||
will need to function as a `backbone', and so one. As above,
|
||||
There are many open questions: how to distribute connectivity information
|
||||
(presumably nodes will learn about the center nodes
|
||||
when they download Tor), whether center nodes
|
||||
will need to function as a `backbone', and so on. As above,
|
||||
this could create problems for the expected anonymity for a mix-net,
|
||||
but for a low-latency network where anonymity derives largely from
|
||||
the edges, it may be feasible.
|
||||
|
||||
In a sense, Tor already has a non-clique topology.
|
||||
Individuals can set up and run Tor nodes without informing the
|
||||
directory servers. This allows groups to run a
|
||||
local Tor network of private nodes that connects to the public Tor
|
||||
network. This network is hidden behind the Tor network, and its
|
||||
only visible connection to Tor is at those points where it connects.
|
||||
As far as the public network, or anyone observing it, is concerned,
|
||||
they are running clients.
|
||||
%In a sense, Tor already has a non-clique topology.
|
||||
%Individuals can set up and run Tor nodes without informing the
|
||||
%directory servers. This allows groups to run a
|
||||
%local Tor network of private nodes that connects to the public Tor
|
||||
%network. This network is hidden behind the Tor network, and its
|
||||
%only visible connection to Tor is at those points where it connects.
|
||||
%As far as the public network, or anyone observing it, is concerned,
|
||||
%they are running clients.
|
||||
|
||||
\section{The Future}
|
||||
\label{sec:conclusion}
|
||||
|
Loading…
Reference in New Issue
Block a user