[tor-talk] Illegal Activity As A Metric of Tor Security and Anonymity

Paul Syverson paul.syverson at nrl.navy.mil
Wed Jul 2 10:34:06 UTC 2014


On Tue, Jul 01, 2014 at 10:06:38PM +0100, Mark McCarron wrote:
> Paul,
> 
> Paul,
> 
> What you are seeking a full design for a distributed Web Hosting
> platform within Tor.  Let's see...

Well even a sketch (which you begin to provide below) would be more
helpful to be able to comment on whether you actually have practical
security improvements in mind than was simply claiming that others could
obviously do better and just chose not to do so.

I also wasn't specifically talking about hosting web pages. This
thread has meandered a bit, but I was responding to the repeated
claims that it was obvious how we could have designed our systems to
be more secure by asking how, because it was not at all obvious to me.

> 
> We can use the existing mechanisms for hidden services, but rather than directing packets to/from a externally hosted site, we direct the packets internally within onion land.  On an initial page request, packets are directed to a random node on Tor network to find the first portion of the page.  That node then selects another random node to deliver the next portion.  This process repeats until all content is delivered to the client.
> 
> There are are a number of important elements in this design:  
> 
> 1.  "Page/Content/Media portions" can be migrated anywhere in the network randomly.  This is an automated system.  
> 2.  The network forgets content/media not access for a long time.
> 3.  Migrations should look no different than regular connections
> 4.  There is no way to query the location of "Page/Content/Media portions" (that is internal to the network)
> 5.  No optimisation should be made for geographic delivery
> 6.  Uploads are shredded and delivered to different nodes (network migrates them)
> 7.  All data is encrypted before upload. (route through decryption nodes when properly accessed as a .onion address)
> 8.  Encryption keys are regularly changed
> 9.  Multiple copies of each site improving availability.
> 10.  Using hashes, remove duplicates of pages/content/media (instead share the same resource as a link/reference)
> 
> That would be the basics of it.  It needs fully fleshed out but to
> the end user it would be a CPanel like interface and a standard
> website with DB support.

It sounds like you are describing a censorship resistant publishing
scheme for (relatively) static content like Freehaven or the Eternity
Service (minus the forgetting in 2. which is more like Vanish or the
Infernity Service---which I think I only ever wrote up partially in
some mailing list comment somewhere 15 years or so ago). 

It's hard to comment without more details about intended goals,
adversary model etc. But what you are describing is a very limited subset
of the way many hidden services are used now.  People use HS for private
chatrooms, for maintenance access to their firewalled systems, to
manage the damage caused to an operation when insiders are compromised
because they only over get access to the hidden service part, not
to mention things like Strongbox and similar systems. 

My point is simply that this could not serve as a drop-in replacement
for hidden services as they are currently used to protect people and
their activities (assuming I get the gist from this initial
description).  That might be OK. You might be starting to describe
something useful.  But useful how, and in what context, and with what
security would need spelling out in much more detail.

> 
> I'll see about expanding on this.

Looking forward to it. Please keep in mind that much of the time when
we get good ideas, someone has already not only had similar ones but
written them up, possibly implemented them, possibly deployed them,
possibly published them in peer-reviewed venues, etc. So please as
much as possible explain how what you offer is an improvement over
existing designs described e.g. in papers in the anonbib.

aloha,
Paul

> 
> Regards,
> 
> Mark McCarron
> 
> > Date: Tue, 1 Jul 2014 16:00:59 -0400
> > From: paul.syverson at nrl.navy.mil
> > To: tor-talk at lists.torproject.org
> > Subject: Re: [tor-talk] Illegal Activity As A Metric of Tor Security and Anonymity
> > 
> > On Tue, Jul 01, 2014 at 08:31:00PM +0100, Mark McCarron wrote:
> > > Paul,
> > > 
> > [snip]
> > > Eliminating this correlation attack is trivial.  
> > 
> > So you keep saying. Everybody who has worked on this who has responded
> > has said that they don't know how and that they find this a hard
> > problem. But your response is simply to keep repeating that it is
> > trivial to eliminate without telling us how.
> > 
> > > The attack is dependent on having visibility at both ends.  One at
> > > the users end (perhaps ISP) and one near the hidden service (perhaps
> > > exchange).  It doesn't take much to match these two together (like
> > > multiple nations sharing intelligence data).  One simple attack is
> > > just to flood the hidden service with connections and note where
> > > traffic spikes.
> > > 
> > > So, the simple solution is to distribute hidden services within Tor,
> > > so that class of attack will fail.  There are no servers in a data
> > > center to expose because it is everywhere and no one can tell, just
> > > by examining the flow of encrypted packets, who was looking at what.
> > 
> > Lots of smart people have thought about hidden service design. E.g.,
> > Karsten did his dissertation on it and earlier guard nodes were
> > introduced to Tor based on Lasse and my illustration of how easy
> > attacks were on hidden services without guards. Our original design of
> > hidden services in Tor harks back to notions of rendezvous services in
> > earlier NRL onion routing work and earlier work by Ian Goldberg, I
> > think in _his_ dissertation if memory serves.  That HS design
> > languished at times while other aspects of Tor were more urgently
> > worked on and that they could use more attention has been
> > acknowledged, and it is getting some. It could use still more and will
> > hopefully be getting it soon.
> > 
> > You may be way smarter than all of these people, but so smart that we
> > can't infer how your simple solution works from these two sentence
> > descriptions. As a kneejerk thought based on just even this brief
> > description: a malicious active client is a trivial adversary to
> > create. It can induce whatever signature it wants on its flow to the
> > HS and can actively affect flows from the HS. What keeps the Tor relay
> > adjacent to the HS or the ISP at the HS or between it and the adjacent
> > relay from recognizing timing signals from malicious clients?
> > For that matter, I don't understand why the system you mention would
> > not be vulnerable to the attack you mention to motivate it.
> > 
> >  
> > > 
> > > Now, I know there are a wide range of additional methods to expose
> > > users and the majority are beyond your direct control, but this type
> > > of attack is something within your control.
> > 
> > Please illustrate how. Please give a design sketch with at least
> > enough details and at a simple enough level of description that even
> > the world's top hidden service design and analysis researchers can
> > understand it since they keep telling you they don't understand these
> > trivial fixes you keep mentioning.
> > 
> > [snip]
> > 
> > aloha,
> > Paul
> > -- 
> > tor-talk mailing list - tor-talk at lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>  		 	   		  
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


More information about the tor-talk mailing list