Anonymity through decentralization (was Re: Ultimate solution)
Roger Dingledine
arma at mit.edu
Mon Mar 26 19:46:14 UTC 2007
On Sun, Mar 25, 2007 at 09:57:20AM -0600, Arrakis wrote:
> 2) Torpark is not commercial, it is totally free and open source. We
> simply offer an upgrade to get higher speeds than the tor network can
> provide.
>
> 3) The fact that trust isn't distributed is a positive, not a
> negative, because you don't have to trust everyone with your outgoing
> plaintext traffic. We have independent security auditors make sure our
> admins are not tracking anyone or doing anything malicious.
I'm leaving the licensing discussion alone for now, but I wanted to
respond to this technical point. Tor's security [1] comes from two
components. The first is its large and diverse user base -- as the user
base expands, the mere use of Tor doesn't narrow you down to a specific
user community or specific few people who are known to have fetched the
program [2]. The second is the diversity of the relays -- as the Tor
network expands, fewer adversaries are able to be in enough places on
the network to succeed at linking senders to recipients.
Now, it's still an open research question what metrics we should use
for these components (that is, how exactly we measure the security we
get from them), but my intuition is that after a certain point the first
component doesn't contribute much more to security -- meaning in Tor's
current state, its security grows primarily as the network grows.
And remember that by "being in enough places", I mean being in a position
to watch (or otherwise measure [3]) the traffic; the best attacks we know
right now only look at characteristics of the traffic flow [4], because
any sort of coordinated compromise of many relays is probably harder.
I'm not saying Tor's design is perfect. We are still grappling with
Sybil attack questions, and as you say we need to encourage our users to
employ end-to-end encryption and authentication when appropriate. And
we're still not happy that a widely dispersed attacker can probably do
very well against Tor.
But a central organization that administers all the relays, even if it
puts them in different places geographically, and even if it promises to
do perfect audits and employ only perfect people, aims for a fundamentally
different sort of security than Tor aims to provide. The traffic analysis
attacks above are still just as much of a concern, but insider attacks and
other attacks on/by the organization are now a significant question too.
You can launch a new single-hop proxy service, commercial or not,
proprietary or not. You can also launch a multi-hop service where you
control every hop. And the license of the Tor software lets you use it
if you find it useful for your purposes. But please don't deceive your
users by changing the security context and then encouraging them to think
that just because the Tor software is present somewhere in the picture,
they are benefitting from the type of security that Tor aims to provide.
--Roger
[1] By "security", I'm talking primarily about unlinkability here;
but that's a different thread.
[2] http://freehaven.net/anonbib/#usability:weis2006
[3] http://freehaven.net/anonbib/#torta05
[4] http://freehaven.net/anonbib/#danezis:pet2004
More information about the tor-talk
mailing list