Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
Andrew Lewman
andrew at torproject.org
Thu May 20 14:44:44 UTC 2010
On Thursday May 20 2010 09:39:00 Flamsmark wrote:
> On 20 May 2010 07:44, <andrew at torproject.org> wrote:
> > If Mallory lists Alice
> > and Bob, but neither Alice nor Bob list Mallory, it's not a valid
> > Family. Otherwise, Mallory could list every node in the network and
> > screw everyone.
>
> Why would this screw everyone?
If only one side could declare a valid family that clients honored, you can
control the paths clients choose. Eventually, some large percent of the
network will find your declaration and be unable to build paths because they
are all in the one-sided MyFamily declaration. Or, worse off, you run three
nodes, let's call them TheMan0, TheMan1, and TheMan2. All three nodes list
every other node in the network, except your three TheMan# nodes. Now as
clients find your MyFamily declaration, they can only build paths through
TheMan0, TheMan1, and TheMan2. Now you've won.
This is one reason why the MyFamily declaration has to be the same on both
sides in order for clients to honor it. Tor clients do not trust the Tor
network by design. There are flaws in the MyFamily scheme, as we're seeing
with perfect-privacy. It's a pain in the ass if you run a lot of nodes, so
you just don't bother. It also assumes an honest relay operator will list all
of all the nodes that should be in a MyFamily declaration.
Right now, Tor won't use any relays in a circuit in the same /16 network to
try to address "network closeness" of relays. We saw it was plausible that
someone can start up a bunch of relays in the same datacenter in the same
netblock and start to see a lot of circuits within that netblock. You can
disable this behavior by setting EnforceDistinctSubnets to 0.
It is an open and active area of research as to the degree of anonymity
(increase or decrease) one receives as you develop trusted paths through the
network (pick your own path), or Autonomous System aware paths, or country
level aware paths, etc.
--
Andrew Lewman
The Tor Project
pgp 0x31B0974B
Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list