[tor-talk] Default clients to be non-exit relay LibTech x
Roger Dingledine
arma at mit.edu
Wed Aug 28 20:01:01 UTC 2013
On Wed, Aug 28, 2013 at 12:41:58PM -0700, Percy Alpha wrote:
> > Every client has to download the full list of relays ("consensus")
> > periodically. In areas with little connectivity, this already puts a
> > high burden on clients.
> Griffin pointed out Tor could download only a portion of relays.
Done naively, this is a poor idea: if you fetch only a subset of
relays, and the adversary can learn or guess which subset you have,
then partitioning attacks can significantly degrade your anonymity. For
example, a middle relay sees the first and third relays, and then asks
itself which users have those three relays in their subset.
See http://freehaven.net/anonbib/#danezis-pet2008 plus the papers it
cites for details.
There are two plausible approaches to fetching a subset of the network
when it gets too big for every client to fetch all of it:
A) Use a DHT-like design to anonymize which relays you're learning about.
For background there, see
and this line of papers sort of ran out of steam without producing a
crisp simple non-flawed design.
B) Fetch your subset anonymously through PIR:
I'm inclined to prefer 'B', because it seems simpler, but maybe that's
only because nobody has fleshed out the actual engineering part of how
we'd deploy it.
> Now when I manually choose serve as a relay, Tor automatically determines
> my bandwidth option(>1.5M). Tor can default to relay for large bandwidth
> users only.
You might like proposal 175:
Now all we need is somebody to do it.
Also, be sure to read
In particular point 3 (more relays equals more sockets used on each relay)
and point 4 (there are anonymity attacks that get much easier when the
list of users is known). Especially point 4.
More information about the tor-talk
mailing list