nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-13 06:33:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

clean up section 2, add back reputability subsec.

Browse Source 
svn:r3482
This commit is contained in:
Roger Dingledine 2005-01-31 08:34:38 +00:00
parent d232831135
commit 2fa4b77735
1 changed files with 52 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
doc/design-paper/challenges.tex
View File

@ -107,14 +107,13 @@ and~\ref{sec:crossroads-technical} go on to describe the practical challenges,
both policy and technical respectively, that stand in the way of moving both policy and technical respectively, that stand in the way of moving
from a practical useful network to a practical useful anonymous network. from a practical useful network to a practical useful anonymous network.
\section{What Is Tor} %\section{What Is Tor}
\section{Distributed trust: safety in numbers}
\label{sec:what-is-tor} \label{sec:what-is-tor}
Here we give a basic overview of the Tor design and its properties. For Here we give a basic overview of the Tor design and its properties. For
details on the design, assumptions, and security arguments, we refer details on the design, assumptions, and security arguments, we refer
the reader to~\cite{tor-design}. the reader to the Tor design paper~\cite{tor-design}.
\subsection{Distributed trust: safety in numbers}
Tor provides \emph{forward privacy}, so that users can connect to Tor provides \emph{forward privacy}, so that users can connect to
Internet sites without revealing their logical or physical locations Internet sites without revealing their logical or physical locations
@ -150,10 +149,6 @@ offering various kinds of services, such as web publishing or an instant
messaging server. Using Tor ``rendezvous points'', other Tor users can messaging server. Using Tor ``rendezvous points'', other Tor users can
connect to these hidden services, each without knowing the other's network connect to these hidden services, each without knowing the other's network
identity. identity.
%This hidden service functionality could allow Tor users to
%set up a website where people publish material without worrying about
%censorship. Nobody would be able to determine who was offering the site,
%and nobody who offered the site would know who was posting to it.
Tor attempts to anonymize the transport layer, not the application layer, so Tor attempts to anonymize the transport layer, not the application layer, so
application protocols that include personally identifying information need application protocols that include personally identifying information need
@ -185,7 +180,7 @@ Instead, to protect our networks from traffic analysis, we must
collaboratively blend the traffic from many organizations and private collaboratively blend the traffic from many organizations and private
citizens, so that an eavesdropper can't tell which users are which, citizens, so that an eavesdropper can't tell which users are which,
and who is looking for what information. By bringing more users onto and who is looking for what information. By bringing more users onto
the network, all users become more secure \cite{econymics}. the network, all users become more secure~\cite{econymics}.
Naturally, organizations will not want to depend on others for their Naturally, organizations will not want to depend on others for their
security. If most participating providers are reliable, Tor tolerates security. If most participating providers are reliable, Tor tolerates
@ -196,12 +191,16 @@ hasn't been read or modified. This even works for Internet services that
don't have built-in encryption and authentication, such as unencrypted don't have built-in encryption and authentication, such as unencrypted
HTTP or chat, and it requires no modification of those services to do so. HTTP or chat, and it requires no modification of those services to do so.
weasel's graph of \# nodes and of bandwidth, ideally from week 0. As of January 2005, the Tor network has grown to around a hundred servers
on four continents, with a total capacity exceeding 1Gbit/s. Appendix A
shows a graph of the number of working servers over time, as well as a
graph of the number of bytes being handled by the network over time. At
this point the network is sufficiently diverse for further development
and testing; but of course we always encourage and welcome new servers
to join the network.
Tor doesn't try to provide steg (but see Sec \ref{china}), or %Tor doesn't try to provide steg (but see Section~\ref{subsec:china}), or
the other non-goals listed in tor-design. %the other non-goals listed in tor-design.
[arma will do this part]
Tor is not the only anonymity system that aims to be practical and useful. Tor is not the only anonymity system that aims to be practical and useful.
Commercial single-hop proxies~\cite{anonymizer}, as well as unsecured Commercial single-hop proxies~\cite{anonymizer}, as well as unsecured
@ -277,6 +276,7 @@ complicating factors:
%Isn't it more accurate to say ``If the adversary _always_ controls the final %Isn't it more accurate to say ``If the adversary _always_ controls the final
% dest, we would be just as well off with such as system.'' ? If not, why % dest, we would be just as well off with such as system.'' ? If not, why
% not? -nm % not? -nm
% Sure. In fact, better off, since they seem to scale more easily. -rd
in practice tor's threat model is based entirely on the goal of dispersal in practice tor's threat model is based entirely on the goal of dispersal
and diversity. george and steven describe an attack \cite{draft} that and diversity. george and steven describe an attack \cite{draft} that
@ -312,22 +312,22 @@ we also decided that it would probably be poor precedent to encourage
such use---even legal use that improves national security---and managed such use---even legal use that improves national security---and managed
to dissuade them. to dissuade them.
With this image issue in mind, here we discuss the Tor user base and With this image issue in mind, this section discusses the Tor user base and
Tor's interaction with other services on the Internet. Tor's interaction with other services on the Internet.
\subsection{Image and reputability}
\subsection{Image and security}
Image: substantial non-infringing uses. Image is a security parameter, Image: substantial non-infringing uses. Image is a security parameter,
since it impacts user base and perceived sustainability. since it impacts user base and perceived sustainability.
grab reputability paragraphs from usability.tex [arma will do this]
A Tor gui, how jap's gui is nice but does not reflect the security
they provide.
Public perception, and thus advertising, is a security parameter.
good uses are kept private, bad uses are publicized. not good. good uses are kept private, bad uses are publicized. not good.
Public perception, and thus advertising, is a security parameter.
users do not correlate to anonymity. arma will do this. users do not correlate to anonymity. arma will do this.
Communicating security levels to the user
A Tor gui, how jap's gui is nice but does not reflect the security
they provide.
\subsection{Usability and bandwidth and sustainability and incentives} \subsection{Usability and bandwidth and sustainability and incentives}
@ -346,6 +346,35 @@ less useful it seems it is.
[nick will write this section] [nick will write this section]
\subsection{Reputability}
Yet another factor in the safety of a given network is its reputability:
the perception of its social value based on its current users. If I'm
the only user of a system, it might be socially accepted, but I'm not
getting any anonymity. Add a thousand Communists, and I'm anonymous,
but everyone thinks I'm a Commie. Add a thousand random citizens (cancer
survivors, privacy enthusiasts, and so on) and now I'm hard to profile.
The more cancer survivors on Tor, the better for the human rights
activists. The more script kiddies, the worse for the normal users. Thus,
reputability is an anonymity issue for two reasons. First, it impacts
the sustainability of the network: a network that's always about to be
shut down has difficulty attracting and keeping users, so its anonymity
set suffers. Second, a disreputable network attracts the attention of
powerful attackers who may not mind revealing the identities of all the
users to uncover a few bad ones.
While people therefore have an incentive for the network to be used for
``more reputable'' activities than their own, there are still tradeoffs
involved when it comes to anonymity. To follow the above example, a
network used entirely by cancer survivors might welcome some Communists
onto the network, though of course they'd prefer a wider variety of users.
The impact of public perception on security is especially important
during the bootstrapping phase of the network, where the first few
widely publicized uses of the network can dictate the types of users it
attracts next.
\subsection{Tor and file-sharing} \subsection{Tor and file-sharing}
[nick will write this section] [nick will write this section]
@ -951,6 +980,7 @@ network. We need to be more aware of the anonymity properties of various
approaches we can make better design decisions in the future. approaches we can make better design decisions in the future.
\subsection{The China problem} \subsection{The China problem}
\label{subsec:china}
Citizens in a variety of countries, such as most recently China and Citizens in a variety of countries, such as most recently China and
Iran, are periodically blocked from accessing various sites outside Iran, are periodically blocked from accessing various sites outside