The Case for Banning Reduced Hop Count Implementations
Gregory Maxwell
gmaxwell at gmail.com
Mon Nov 23 16:25:55 UTC 2009
On Mon, Nov 23, 2009 at 10:05 AM, Paul Syverson
<syverson at itd.nrl.navy.mil> wrote:
[snip]
> So, reducing the number of hops means that exit nodes have
> significantly more information about connection origins. Reducing hops
> to one means that they know everything about the origin of a
> connection (up to the IP address from which the connection entered the
> Tor network, which is all that Tor is designed to hide.) That makes
> their deniability of what they know about traffic exiting through them
> no longer plausible (because, well now it will be false). That any of
[snip]
Reduction to one is obviously quite terrible. The reason I trimmed off the
Lucky's message was that I thought it was just making a argument against
one-hop as endangering operators which I previously agreed with and had
argued here myself.
Thank you for taking the time to elaborate on the two-hop case.
I hadn't previously considered the entry node as valuable data worth hiding
from the exit node, but now that you point it out I find it to be a
convincing argument.
I'm not confident how real the the capacity consumption concerns are, or that
they couldn't be addressed by some other means (if you have some blinded method
of determining the minimum path length, then you could use it to
prioritize longer
path traffic by an amount sufficient to prevent it from being out competed too
greatly)
I find it quite disappointing that two-hop isn't a reasonable measure to improve
performance for some users. As I've argued elsewhere I think it's important
that TOR carry a significant amount of perfectly ordinary traffic both
to provide
cover traffic, and to ensure that there is sufficient public support, as it's a
lot easier to turn a blind eye on a service you haven't used personally…
To make the point more forcefully:
On Mon, Nov 23, 2009 at 12:29 AM, Lucky Green <shamrock at cypherpunks.to> wrote:
[snip]
> Many of those that would be satisfied with fewer hops engage in
> comparatively low risk behavior (which is why they are satisfied with
> lower anonymity), such as downloading large files of questionable
> origin.
[snip]
> Users with lower anonymity needs should be guided towards
> the many other systems available today that provide lower anonymity than
> Tor.
I'll assume here that 'questionable origin' here is primarily talking about the
people illicitly downloading movies and the like.
I find it interesting to see the file transfer case as "comparatively low risk
behavior". The reason people have used tor for this in significant numbers is
that their activity is very likely to result in legal threats and disconnection
from their ISP, as those consequences have become common. This isn't a
speculative
risk these people face it's a real one, certainly more real than any that I've
personally had for using Tor.
(You don't have to even support the illegal propagation of copyrighted works to
support people engaging in downloading— for example, someone might download
an album to recover material on a damaged CD, or they might be
recovering a track
they purchased but has been made available to them after the closure of a DRM
key provider, and these use cases are no less likely to bring lawsuit than the
people who are downloading copyrighted works for which they have not
been licensed.)
Of course there are people with greater anonymity needs than the file
downloaders
but if you are prepared to classify someone merely at risk of a costly
lawsuit and
disconnection from their ISP as someone who is insufficiently worthy
and guide them
and all the others with even lower needs to another service then would
TOR even come
close to the level of cover traffic required to provide anonymity to those more
strongly in need?
[The file downloading on Tor isn't a good thing: it's not good because
tor isn't the
best design for bulk transfers where latency isn't relevant... some
other design could
handle them better (and probably provide greater anonymity at the same
time). The
copyright-violating download case also has the problem that it doesn't
eliminate risks
it merely shifts them to the exit operators. (Because the copyright
holders are perfectly
happy to take the same actions against the exit operators, and many
ISPs are perfectly
happy to harass them)... but these are separate matters that have
little to do with
circuit length or the reality of the users desire for anonymization]
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list