not all tor use is abusive

svn:r3596
This commit is contained in:
Roger Dingledine 2005-02-09 07:31:06 +00:00
parent 90e1f58bc6
commit 10b6f18f30

View File

@ -265,28 +265,15 @@ responder destinations (say, websites with consistent data volumes) may not
need to need to
observe both ends of a stream to learn source-destination links for those observe both ends of a stream to learn source-destination links for those
responders. responders.
%However, it is still essentially confirming
%suspected communicants where the responder suspects are ``stored'' rather
%than observed at the same time as the client.
Similarly, latencies of going through various routes can be Similarly, latencies of going through various routes can be
cataloged~\cite{back01} to connect endpoints. cataloged~\cite{back01} to connect endpoints.
% XXX hintz-pet02 just looked at data volumes of the sites. this % Also, \cite{kesdogan:pet2002} takes the
% doesn't require much variability or storage. I think it works
% quite well actually. Also, \cite{kesdogan:pet2002} takes the
% attack another level further, to narrow down where you could be % attack another level further, to narrow down where you could be
% based on an intersection attack on subpages in a website. -RD % based on an intersection attack on subpages in a website. -RD
%
% I was trying to be terse and simultaneously referring to both the
% Hintz stuff and the Back et al. stuff from Info Hiding 01. I've
% separated the two and added the references. -PFS
It has not yet been shown whether these attacks will succeed or fail It has not yet been shown whether these attacks will succeed or fail
in the presence of the variability and volume quantization introduced by the in the presence of the variability and volume quantization introduced by the
Tor network, but it seems likely that these factors will at best delay Tor network, but it seems likely that these factors will at best delay
rather than halt the attacks in the cases where they succeed. rather than halt the attacks in the cases where they succeed.
%likely to entail high variability and massive storage since
%routes through the network to each site will be random even if they
%have relatively unique latency characteristics. So this does not seem
%an immediate practical threat.
Along similar lines, the same paper suggests a ``clogging Along similar lines, the same paper suggests a ``clogging
attack.'' Murdoch and Danezis~\cite{attack-tor-oak05} show a practical attack.'' Murdoch and Danezis~\cite{attack-tor-oak05} show a practical
clogging attack against portions of clogging attack against portions of
@ -310,9 +297,6 @@ help counter these attacks.
% not? -nm % not? -nm
% Sure. In fact, better off, since they seem to scale more easily. -rd % Sure. In fact, better off, since they seem to scale more easily. -rd
% XXXX the below paragraph should probably move later, and merge with
% other discussions of attack-tor-oak5.
%Murdoch and Danezis describe an attack %Murdoch and Danezis describe an attack
%\cite{attack-tor-oak05} that lets an attacker determine the nodes used %\cite{attack-tor-oak05} that lets an attacker determine the nodes used
%in a circuit; yet s/he cannot identify the initiator or responder, %in a circuit; yet s/he cannot identify the initiator or responder,
@ -433,7 +417,6 @@ Many of the issues the Tor project needs to address extend beyond
system design and technology development. In particular, the system design and technology development. In particular, the
Tor project's \emph{image} with respect to its users and the rest of Tor project's \emph{image} with respect to its users and the rest of
the Internet impacts the security it can provide. the Internet impacts the security it can provide.
% No image, no sustainability -NM
With this image issue in mind, this section discusses the Tor user base and With this image issue in mind, this section discusses the Tor user base and
Tor's interaction with other services on the Internet. Tor's interaction with other services on the Internet.
@ -476,9 +459,7 @@ But for low-latency systems like Tor, end-to-end \emph{traffic
correlation} attacks~\cite{danezis-pet2004,defensive-dropping,SS03} correlation} attacks~\cite{danezis-pet2004,defensive-dropping,SS03}
allow an attacker who can observe both ends of a communication allow an attacker who can observe both ends of a communication
to correlate packet timing and volume, quickly linking to correlate packet timing and volume, quickly linking
the initiator to her destination. % This is why Tor's threat model is the initiator to her destination.
%based on preventing the adversary from observing both the initiator and
%the responder.
Like Tor, the current JAP implementation does not pad connections Like Tor, the current JAP implementation does not pad connections
apart from using small fixed-size cells for transport. In fact, apart from using small fixed-size cells for transport. In fact,
@ -700,7 +681,7 @@ file-sharing protocols that have separate control and data channels.
\label{subsec:tor-and-blacklists} \label{subsec:tor-and-blacklists}
It was long expected that, alongside legitimate users, Tor would also It was long expected that, alongside legitimate users, Tor would also
attract troublemakers who exploited Tor in order to abuse services on the attract troublemakers who exploit Tor to abuse services on the
Internet with vandalism, rude mail, and so on. Internet with vandalism, rude mail, and so on.
Our initial answer to this situation was to use ``exit policies'' Our initial answer to this situation was to use ``exit policies''
to allow individual Tor nodes to block access to specific IP/port ranges. to allow individual Tor nodes to block access to specific IP/port ranges.
@ -709,12 +690,12 @@ them to prevent their nodes from being used for abusing particular
services. For example, all Tor nodes currently block SMTP (port 25), services. For example, all Tor nodes currently block SMTP (port 25),
to avoid being used for spam. to avoid being used for spam.
Exit policies are useful, but are insufficient for two reasons. First, since Exit policies are useful, but they are insufficient: if not all nodes
it is not possible to force all nodes to block access to any given service, block a given service, that service may try to block Tor instead.
many of those services try to block Tor instead. More broadly, while being While being blockable is important to being good netizens, we would like
blockable is important to being good netizens, we would like to encourage to encourage services to allow anonymous access. Services should not
services to allow anonymous access. Services should not need to decide need to decide between blocking legitimate anonymous use and allowing
between blocking legitimate anonymous use and allowing unlimited abuse. unlimited abuse.
This is potentially a bigger problem than it may appear. This is potentially a bigger problem than it may appear.
On the one hand, services should be allowed to refuse connections from On the one hand, services should be allowed to refuse connections from
@ -738,7 +719,7 @@ every class C network that contains a Tor node, and recommends banning SMTP
from these networks even though Tor does not allow SMTP at all. This from these networks even though Tor does not allow SMTP at all. This
strategic decision aims to discourage the strategic decision aims to discourage the
operation of anything resembling an open proxy by encouraging its neighbors operation of anything resembling an open proxy by encouraging its neighbors
to shut it down in order to get unblocked themselves. This pressure even to shut it down to get unblocked themselves. This pressure even
affects Tor nodes running in middleman mode (disallowing all exits) when affects Tor nodes running in middleman mode (disallowing all exits) when
those nodes are blacklisted too. those nodes are blacklisted too.
@ -754,10 +735,10 @@ tolerably well for them in practice.
But of course, we would prefer that legitimate anonymous users be able to But of course, we would prefer that legitimate anonymous users be able to
access abuse-prone services. One conceivable approach would be to require access abuse-prone services. One conceivable approach would be to require
would-be IRC users, for instance, to register accounts if they wanted to would-be IRC users, for instance, to register accounts if they want to
access the IRC network from Tor. In practice this would not access the IRC network from Tor. In practice this would not
significantly impede abuse if creating new accounts were easily automatable; significantly impede abuse if creating new accounts were easily automatable;
this is why services use IP blocking. In order to deter abuse, pseudonymous this is why services use IP blocking. To deter abuse, pseudonymous
identities need to require a significant switching cost in resources or human identities need to require a significant switching cost in resources or human
time. Some popular webmail applications time. Some popular webmail applications
impose cost with Reverse Turing Tests, but these may not be costly enough to impose cost with Reverse Turing Tests, but these may not be costly enough to
@ -765,25 +746,13 @@ deter abusers. Freedom used blind signatures to limit
the number of pseudonyms for each paying account, but Tor has neither the the number of pseudonyms for each paying account, but Tor has neither the
ability nor the desire to collect payment. ability nor the desire to collect payment.
%One approach, similar to that taken by Freedom, would be to bootstrap some We stress that as far as we can tell, most Tor uses so far are not
%non-anonymous costly identification mechanism to allow access to a abusive. Most services have not complained, and others are actively
%blind-signature pseudonym protocol. This would effectively create costly working to find ways besides banning to cope with the abuse. For example,
%pseudonyms, which services could require in order to allow anonymous access. the Freenode IRC network had a problem with a coordinated group of
%This approach has difficulties in practice, however: abusers joining channels and subtly taking over the conversation; but
%\begin{tightlist} when they labelled all users coming from Tor IPs as ``anonymous users,''
%\item Unlike Freedom, Tor is not a commercial service. Therefore, it would removing the ability of the abusers to blend in, the abuse stopped.
% be a shame to require payment in order to make Tor useful, or to make
% non-paying users second-class citizens.
%\item It is hard to think of an underlying resource that would actually work.
% We could use IP addresses, but that's the problem, isn't it?
%\item Managing single sign-on services is not considered a well-solved
% problem in practice. If Microsoft can't get universal acceptance for
% Passport, why do we think that a Tor-specific solution would do any good?
%\item Even if we came up with a perfect authentication system for our needs,
% there's no guarantee that any service would actually start using it. It
% would require a nonzero effort for them to support it, and it might just
% be less hassle for them to block tor anyway.
%\end{tightlist}
%The use of squishy IP-based ``authentication'' and ``authorization'' %The use of squishy IP-based ``authentication'' and ``authorization''
%has not broken down even to the level that SSNs used for these %has not broken down even to the level that SSNs used for these
@ -873,7 +842,7 @@ themselves before handing an IP address to Tor, which advertises
where the user is about to connect. where the user is about to connect.
We are still working on more usable solutions. We are still working on more usable solutions.
%So in order to actually provide good anonymity, we need to make sure that %So to actually provide good anonymity, we need to make sure that
%users have a practical way to use Tor anonymously. Possibilities include %users have a practical way to use Tor anonymously. Possibilities include
%writing wrappers for applications to anonymize them automatically; improving %writing wrappers for applications to anonymize them automatically; improving
%the applications' support for SOCKS; writing libraries to help application %the applications' support for SOCKS; writing libraries to help application
@ -1163,7 +1132,7 @@ help address censorship; we wish them success.
Tor is running today with hundreds of nodes and tens of thousands of Tor is running today with hundreds of nodes and tens of thousands of
users, but it will certainly not scale to millions. users, but it will certainly not scale to millions.
Scaling Tor involves four main challenges. First, in order to get a Scaling Tor involves four main challenges. First, to get a
large set of nodes in the first place, we must address incentives for large set of nodes in the first place, we must address incentives for
users to carry traffic for others. Next is safe node discovery, both users to carry traffic for others. Next is safe node discovery, both
while bootstrapping (how does a Tor client robustly find an initial while bootstrapping (how does a Tor client robustly find an initial
@ -1237,8 +1206,9 @@ service it receives from adjacent nodes, and provide service relative
to the received service, but (2) when a node is making decisions that to the received service, but (2) when a node is making decisions that
affect its own security (such as building a circuit for its own affect its own security (such as building a circuit for its own
application connections), it should choose evenly from a sufficiently application connections), it should choose evenly from a sufficiently
large set of nodes that meet some minimum service threshold large set of nodes that meet some minimum service
\cite{casc-rep}. This approach allows us to discourage bad service threshold~\cite{casc-rep}. This approach allows us to discourage
bad service
without opening Alice up as much to attacks. All of this requires without opening Alice up as much to attacks. All of this requires
further study. further study.
@ -1254,13 +1224,13 @@ of their locations, keys, and capabilities to each of several well-known {\it
of all known Tor nodes (a ``directory''), and a signed statement of which of all known Tor nodes (a ``directory''), and a signed statement of which
nodes they nodes they
believed to be operational at any given time (a ``network status''). Clients believed to be operational at any given time (a ``network status''). Clients
periodically downloaded a directory in order to learn the latest nodes and periodically downloaded a directory to learn the latest nodes and
keys, and more frequently downloaded a network status to learn which nodes were keys, and more frequently downloaded a network status to learn which nodes were
likely to be running. Tor nodes also operate as directory caches, in order to likely to be running. Tor nodes also operate as directory caches, to
lighten the bandwidth on the authoritative directory servers. lighten the bandwidth on the authoritative directory servers.
In order to prevent Sybil attacks (wherein an adversary signs up many In order to prevent Sybil attacks (wherein an adversary signs up many
purportedly independent nodes in order to increase her chances of observing purportedly independent nodes to increase her chances of observing
a stream as it enters and leaves the network), the early Tor directory design a stream as it enters and leaves the network), the early Tor directory design
required the operators of the authoritative directory servers to manually required the operators of the authoritative directory servers to manually
approve new nodes. Unapproved nodes were included in the directory, approve new nodes. Unapproved nodes were included in the directory,
@ -1291,7 +1261,7 @@ move forward. They include:
We could try to move the system in several directions, depending on our We could try to move the system in several directions, depending on our
choice of threat model and requirements. If we did not need to increase choice of threat model and requirements. If we did not need to increase
network capacity in order to support more users, we could simply network capacity to support more users, we could simply
adopt even stricter validation requirements, and reduce the number of adopt even stricter validation requirements, and reduce the number of
nodes in the network to a trusted minimum. nodes in the network to a trusted minimum.
But, we can only do that if can simultaneously make node capacity But, we can only do that if can simultaneously make node capacity
@ -1367,24 +1337,21 @@ reveal the path taken by large traffic flows under low-usage circumstances.
\subsection{Non-clique topologies} \subsection{Non-clique topologies}
Tor's comparatively weak threat model may actually make scaling easier than Tor's comparatively weak threat model may allow easier scaling than
in other mix net other mix-net
designs. High-latency mix networks need to avoid partitioning attacks, where designs. High-latency mix networks need to avoid partitioning attacks, where
network splits allow an attacker to distinguish users based on which network splits let an attacker distinguish users in different partitions.
partitions they use. Since Tor assumes the adversary cannot cheaply observe nodes at will,
In Tor, however, we assume that the adversary cannot a network split may not decrease protection much.
cheaply observe nodes at will, so even if the network splits, the Thus, one option when the scale of a Tor network
users do not necessarily receive much less protection. exceeds some size is simply to split it. Nodes could be allocated into
Thus, a simple possibility when the scale of a Tor network partitions while hampering collobrating hostile nodes from taking over
exceeds some size is to simply split it. Care could be taken in a single partition~\cite{casc-rep}.
allocating which nodes go to which network along the lines of Clients could switch between
\cite{casc-rep} to insure that collaborating hostile nodes do not networks, even on a per-circuit basis. Future analysis may uncover
gain any advantage that they do not other dangers beyond those affecting mix-nets.
already have in the original network. Clients could switch between
networks, and switch between them on a per-circuit basis. More analysis is
needed to tell if there are other dangers beyond those effecting mix nets.
More conservatively, we can try to scale a single Tor network. One potential More conservatively, we can try to scale a single Tor network. Potential
problems with adding more servers to a single Tor network include an problems with adding more servers to a single Tor network include an
explosion in the number of sockets needed on each server as more servers explosion in the number of sockets needed on each server as more servers
join, and an increase in coordination overhead as keeping everyone's view of join, and an increase in coordination overhead as keeping everyone's view of
@ -1426,7 +1393,7 @@ There are many open questions: how to distribute directory information
(presumably information about the center nodes could (presumably information about the center nodes could
be given to any new nodes with their codebase), whether center nodes be given to any new nodes with their codebase), whether center nodes
will need to function as a `backbone', and so one. As above, will need to function as a `backbone', and so one. As above,
this could create problems for the expected anonymity for a mixnet, this could create problems for the expected anonymity for a mix-net,
but for a low-latency network where anonymity derives largely from but for a low-latency network where anonymity derives largely from
the edges, it may be feasible. the edges, it may be feasible.