Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)

Andrew Lewman andrew at torproject.org
Thu May 20 14:44:44 UTC 2010


On Thursday May 20 2010 09:39:00 Flamsmark wrote:
> On 20 May 2010 07:44, <andrew at torproject.org> wrote:
> > If Mallory lists Alice
> > and Bob, but neither Alice nor Bob list Mallory, it's not a valid
> > Family.  Otherwise, Mallory could list every node in the network and
> > screw everyone.
> 
> Why would this screw everyone?

If only one side could declare a valid family that clients honored, you can 
control the paths clients choose. Eventually, some large percent of the 
network will find your declaration and be unable to build paths because they 
are all in the one-sided MyFamily declaration.  Or, worse off, you run three 
nodes, let's call them TheMan0, TheMan1, and TheMan2.  All three nodes list 
every other node in the network, except your three TheMan# nodes.  Now as 
clients find your MyFamily declaration, they can only build paths through 
TheMan0, TheMan1, and TheMan2.  Now you've won.

This is one reason why the MyFamily declaration has to be the same on both 
sides in order for clients to honor it.  Tor clients do not trust the Tor 
network by design.  There are flaws in the MyFamily scheme, as we're seeing 
with perfect-privacy.  It's a pain in the ass if you run a lot of nodes, so 
you just don't bother.  It also assumes an honest relay operator will list all 
of all the nodes that should be in a MyFamily declaration.

Right now, Tor won't use any relays in a circuit in the same /16 network to 
try to address "network closeness" of relays.  We saw it was plausible that 
someone can start up a bunch of relays in the same datacenter in the same 
netblock and start to see a lot of circuits within that netblock.  You can 
disable this behavior by setting EnforceDistinctSubnets to 0.

It is an open and active area of  research as to the degree of anonymity 
(increase or decrease) one receives as you develop trusted paths through the 
network (pick your own path), or Autonomous System aware paths, or country 
level aware paths, etc.  

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list