[tor-dev] Proposal 188: Bridge Guards and other anti-enumeration defenses

Robert Ransom rransom.8774 at gmail.com
Thu Oct 20 18:00:20 UTC 2011


On 2011-10-20, Nick Mathewson <nickm at torproject.org> wrote:

> 4.3. Separate bridge-guards and client-guards
>
>    In the design above, I specify that bridges should use the same
>    guard nodes for extending client circuits as they use for their own
>    circuits.  It's not immediately clear whether this is a good idea
>    or not.  Having separate sets would seem to make the two kinds of
>    circuits more easily distinguishable (even though we already assume
>    they are distinguishable).  Having different sets of guards would
>    also seem like a way to keep the nodes who guard our own traffic
>    from learning that we're a bridge... but another set of nodes will
>    learn that anyway, so it's not clear what we'd gain.

Any attacker who can extend circuits through a bridge can enumerate
the set of guard nodes which it routes its clients' circuits through.
A malicious middle relay can easily determine the set of entry guards
used by a hidden service, and over time, can determine the set of
entry guards used by a user with a long-term pseudonym.  If a bridge
uses the same set of entry guards for its clients' circuits as it does
for its own, users who operate bridges can be deanonymized quite
trivially.


Robert Ransom


More information about the tor-dev mailing list