[tor-talk] Question for those who say "Tor is pwned"
Paul Syverson
paul.syverson at nrl.navy.mil
Tue Jun 21 16:48:38 UTC 2016
On Tue, Jun 21, 2016 at 01:28:12PM +0200, Aymeric Vitte wrote:
>
>
> Le 21/06/2016 à 06:19, Paul Syverson a écrit :
> > We published a design in 2010 that essentially turns a
> > solution against a passive adversary into a solution against an active
> > adversary. It had some nice theoretical properties, but I don't think
> > it was practical. These haven't been ruled out. There is ongoing
> > research, but so far none of it has looked adequately useful in practice.
>
> Probably you are referring to the paper mentioned in
> https://lists.torproject.org/pipermail/tor-talk/2016-June/041192.html
> which indeed as I commented does not look realistic to implement, then I
> suppose that the answer to my question is no
Yes that paper. Not sure what the question is.
>
> > I think there are some things we maybe could do with mixing and
> > synchronization to raise the bar at least a little against a _passive_
> > adversary. I have told many researchers my thoughts about this, but so
> > far nobody has taken it up that I know of. I would like to look into
> > it myself, but I already have a many-years backlog of more important
> > (more likely to make a real difference IMO) research questions to
> > answer.
>
> Would be interested to know what are those thoughts (on or off the list)
> and/or get possible links to them
Well there's things like alpha-mixing (better tau-mixing) as that
could be used to blend and improve security for traffic of different
sensitivity levels _if_ it can adequately avoid leaking how
paranoid/sensitive different traffic is. Various proposals following on
those lines have been floated, but this needs a lot more analysis to
see how/if it would make sense.
Another thought I've raised to a bunch of people for at least 2-3
years is the idea of semi-synchronous building of Tor circuits. Since
most circuits are built pre-emptively it should be relatively easy to
implement and shouldn't cost much in overhead if all relays, e.g.,
batched and fulfilled all extension requests they received in the last
say 2 seconds, effectively timed mixing of circuit building
cells. This might make it hard for a widescale passive network
observer to trivially identify circuits simply from the building (as
Bauer et al. first explored at WPES 2007). They would then have to go
into the relayed traffic.
Questions include, how much extra work does this really create for the
adversary? (It doesn't appear to have much overhead, but if it has
even less useful effect, it's not worth it.) What to do when circuits
are not available (Do you just say screw the delay for those, or bite
that bullet which implies driving a nontrivial fraction of users to
less secure options)? How often _are_ circuits not available
pre-meptively? Does this somehow disproportionally affect a
particularly sensitive class of traffic? I'm assuming you don't want
to actually synchronize relays here as I could imagine all kinds of
weird congestion effects. Even if you don't one should do lots of
Shadow experiments or some such (after the prior questions make it
seem worth doing them) to make sure these effects aren't induced
anyway...
aloha,
Paul
More information about the tor-talk
mailing list