nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 04:13:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

two easy discovery approaches, plus a discussion of publicity,

Browse Source 
and general cleanups.


svn:r8842
This commit is contained in:
Roger Dingledine 2006-10-28 06:14:18 +00:00
parent e473ca2427
commit 3eb8c9e50f
1 changed files with 89 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
doc/design-paper/blocking.tex
View File

@ -305,7 +305,7 @@ Existing commercial anonymity solutions (like Anonymizer.com) are based
on a set of single-hop proxies. In these systems, each user connects to on a set of single-hop proxies. In these systems, each user connects to
a single proxy, which then relays the user's traffic. These public proxy a single proxy, which then relays the user's traffic. These public proxy
systems are typically characterized by two features: they control and systems are typically characterized by two features: they control and
operator the proxies centrally, and many different users get assigned operate the proxies centrally, and many different users get assigned
to each proxy. to each proxy.
In terms of the relay component, single proxies provide weak security In terms of the relay component, single proxies provide weak security
@ -343,7 +343,8 @@ Access control systems on the proxy let them provide service only to
users with certain characteristics, such as paying customers or people users with certain characteristics, such as paying customers or people
from certain IP address ranges. from certain IP address ranges.
Discovery despite a government-level firewall is a complex and unsolved Discovery in the face of a government-level firewall is a complex and
unsolved
topic, and we're stuck in this same arms race ourselves; we explore it topic, and we're stuck in this same arms race ourselves; we explore it
in more detail in Section~\ref{sec:discovery}. But first we examine the in more detail in Section~\ref{sec:discovery}. But first we examine the
other end of the spectrum --- getting volunteers to run the proxies, other end of the spectrum --- getting volunteers to run the proxies,
@ -413,7 +414,8 @@ first introduction into the Tor network.
\subsection{JAP} \subsection{JAP}
Stefan's WPES paper is probably the closest related work, and is Stefan's WPES paper~\cite{koepsell:wpes2004} is probably the closest
related work, and is
the starting point for the design in this paper. the starting point for the design in this paper.
\subsection{steganography} \subsection{steganography}
@ -446,7 +448,7 @@ perceived to be for experts only, and thus not worth attention yet. The
more subtle variant on this theory is that we've positioned Tor in the more subtle variant on this theory is that we've positioned Tor in the
public eye as a tool for retaining civil liberties in more free countries, public eye as a tool for retaining civil liberties in more free countries,
so perhaps blocking authorities don't view it as a threat. (We revisit so perhaps blocking authorities don't view it as a threat. (We revisit
this idea when we consider whether and how to publicize a a Tor variant this idea when we consider whether and how to publicize a Tor variant
that improves blocking-resistance --- see Section~\ref{subsec:publicity} that improves blocking-resistance --- see Section~\ref{subsec:publicity}
for more discussion.) for more discussion.)
@ -501,7 +503,7 @@ Tor client; but we leave this discussion for Section~\ref{sec:security}.
%to an alternate directory authority, and for controller commands %to an alternate directory authority, and for controller commands
%that will do this cleanly. %that will do this cleanly.
\subsection{The bridge directory authority (BDA)} \subsection{The bridge directory authority}
How do the bridge relays advertise their existence to the world? We How do the bridge relays advertise their existence to the world? We
introduce a second new component of the design: a specialized directory introduce a second new component of the design: a specialized directory
@ -559,6 +561,7 @@ track them that way.
%individually. %individually.
\subsection{Putting them together} \subsection{Putting them together}
\label{subsec:relay-together}
If a blocked user knows the identity keys of a set of bridge relays, and If a blocked user knows the identity keys of a set of bridge relays, and
he has correct address information for at least one of them, he can use he has correct address information for at least one of them, he can use
@ -613,7 +616,7 @@ relay command to establish an internal connection to its directory cache.
Therefore a better way to summarize a bridge's address is by its IP Therefore a better way to summarize a bridge's address is by its IP
address and ORPort, so all communications between the client and the address and ORPort, so all communications between the client and the
bridge will the ordinary TLS. But there are other details that need bridge will use ordinary TLS. But there are other details that need
more investigation. more investigation.
What port should bridges pick for their ORPort? We currently recommend What port should bridges pick for their ORPort? We currently recommend
@ -621,13 +624,14 @@ that they listen on port 443 (the default HTTPS port) if they want to
be most useful, because clients behind standard firewalls will have be most useful, because clients behind standard firewalls will have
the best chance to reach them. Is this the best choice in all cases, the best chance to reach them. Is this the best choice in all cases,
or should we encourage some fraction of them pick random ports, or other or should we encourage some fraction of them pick random ports, or other
ports commonly permitted on firewalls like 53 (DNS) or 110 (POP)? We need ports commonly permitted through firewalls like 53 (DNS) or 110
(POP)? We need
more research on our potential users, and their current and anticipated more research on our potential users, and their current and anticipated
firewall restrictions. firewall restrictions.
Furthermore, we need to look at the specifics of Tor's TLS handshake. Furthermore, we need to look at the specifics of Tor's TLS handshake.
Right now Tor uses some predictable strings in its TLS handshakes. For Right now Tor uses some predictable strings in its TLS handshakes. For
example, it sets the X.509 organizationName field to "Tor", and it puts example, it sets the X.509 organizationName field to ``Tor'', and it puts
the Tor server's nickname in the certificate's commonName field. We the Tor server's nickname in the certificate's commonName field. We
should tweak the handshake protocol so it doesn't rely on any details should tweak the handshake protocol so it doesn't rely on any details
in the certificate headers, yet it remains secure. Should we replace in the certificate headers, yet it remains secure. Should we replace
@ -678,8 +682,9 @@ him a bad connection each time, there's nothing we can do.)
What about anonymity-breaking attacks from observing traffic, if the What about anonymity-breaking attacks from observing traffic, if the
blocked user doesn't start out knowing the identity key of his intended blocked user doesn't start out knowing the identity key of his intended
bridge? The vulnerabilities aren't so bad in this case either --- bridge? The vulnerabilities aren't so bad in this case either ---
the adversary could do the same attacks just by monitoring the network the adversary could do similar attacks just by monitoring the network
traffic. traffic.
% cue paper by steven and george
Once the Tor client has fetched the bridge's server descriptor, it should Once the Tor client has fetched the bridge's server descriptor, it should
remember the identity key fingerprint for that bridge relay. Thus if remember the identity key fingerprint for that bridge relay. Thus if
@ -703,13 +708,59 @@ unfortunate fact is that we have no magic bullet for discovery. We're
in the same arms race as all the other designs we described in in the same arms race as all the other designs we described in
Section~\ref{sec:related}. Section~\ref{sec:related}.
3 options: In this section we describe four approaches to adding discovery
components for our design, in order of increasing complexity. Note that
we can deploy all four schemes at once --- bridges and blocked users can
use the discovery approach that is most appropriate for their situation.
\subsection{Independent bridges, no central discovery}
The first design is simply to have no centralized discovery component at
all. Volunteers run bridges, and we assume they have some blocked users
in mind and communicate their address information to them out-of-band
(for example, through gmail). This design allows for small personal
bridges that have only one or a handful of users in mind, but it can
also support an entire community of users. For example, Citizen Lab's
upcoming Psiphon single-hop proxy tool~\cite{psiphon} plans to use this
\emph{social network} approach as its discovery component.
There are some variations on this design. In the above example, the
operator of the bridge seeks out and informs each new user about his
bridge's address information and/or keys. Another approach involves
blocked users introducing new blocked users to the bridges they know.
That is, somebody in the blocked area can pass along a bridge's address to
somebody else they trust. This scheme brings in appealing but complex game
theory properties: the blocked user making the decision has an incentive
only to delegate to trustworthy people, since an adversary who learns
the bridge's address and filters it makes it unavailable for both of them.
\subsection{Families of bridges}
Because the blocked users are running our software too, we have many
opportunities to improve usability or robustness. Our second design builds
on the first by encouraging volunteers to run several bridges at once
(or coordinate with other bridge volunteers), such that some fraction
of the bridges are likely to be available at any given time.
The blocked user's Tor client could periodically fetch an updated set of
recommended bridges from any of the working bridges. Now the client can
learn new additions to the bridge pool, and can expire abandoned bridges
or bridges that the adversary has blocked, without the user ever needing
to care. To simplify maintenance of the community's bridge pool, rather
than mirroring all of the information at each bridge, each community
could instead run its own bridge directory authority (accessed via the
available bridges),
\subsection{Social networks with directory-side support}
In the above designs,
- social network scheme, with accounts and stuff.
- independent proxies. just tell your friends.
- public proxies. given out like circumventors. or all sorts of other rate limiting ways. - public proxies. given out like circumventors. or all sorts of other rate limiting ways.
- social network scheme, with accounts and stuff.
@ -797,12 +848,12 @@ Users can establish reputations, perhaps based on social network
connectivity, perhaps based on not getting their bridge relays blocked, connectivity, perhaps based on not getting their bridge relays blocked,
Probably the most critical lesson learned in past work on reputation Probably the most critical lesson learned in past work on reputation
systems in privacy-oriented environments~\cite{p2p-econ} is the need for systems in privacy-oriented environments~\cite{rep-anon} is the need for
verifiable transactions. That is, the entity computing and advertising verifiable transactions. That is, the entity computing and advertising
reputations for participants needs to actually learn in a convincing reputations for participants needs to actually learn in a convincing
way that a given transaction was successful or unsuccessful. way that a given transaction was successful or unsuccessful.
(Lesson from designing reputation systems~\cite{p2p-econ}: easy to (Lesson from designing reputation systems~\cite{rep-anon}: easy to
reward good behavior, hard to punish bad behavior. reward good behavior, hard to punish bad behavior.
\subsection{How to allocate bridge addresses to users} \subsection{How to allocate bridge addresses to users}
@ -915,9 +966,9 @@ solution though.
Should bridge users sometimes send bursts of long-range drop cells? Should bridge users sometimes send bursts of long-range drop cells?
\subsection{Anonymity effects from becoming a bridge relay} \subsection{Anonymity effects from acting as a bridge relay}
Against some attacks, becoming a bridge relay can improve anonymity. The Against some attacks, relaying traffic for others can improve anonymity. The
simplest example is an attacker who owns a small number of Tor servers. He simplest example is an attacker who owns a small number of Tor servers. He
will see a connection from the bridge, but he won't be able to know will see a connection from the bridge, but he won't be able to know
whether the connection originated there or was relayed from somebody else. whether the connection originated there or was relayed from somebody else.
@ -943,7 +994,7 @@ willing to relay will allow this sort of attacker to determine if it's
being used as a bridge but not whether it is adding traffic of its own. being used as a bridge but not whether it is adding traffic of its own.
It is an open research question whether the benefits outweigh the risks. A It is an open research question whether the benefits outweigh the risks. A
lot of the decision rests on which the attacks users are most worried lot of the decision rests on which attacks the users are most worried
about. For most users, we don't think running a bridge relay will be about. For most users, we don't think running a bridge relay will be
that damaging. that damaging.
@ -955,7 +1006,8 @@ always reasonable.
For Internet cafe Windows computers that let you attach your own USB key, For Internet cafe Windows computers that let you attach your own USB key,
a USB-based Tor image would be smart. There's Torpark, and hopefully a USB-based Tor image would be smart. There's Torpark, and hopefully
there will be more options down the road. Worries about hardware or there will be more thoroughly analyzed options down the road. Worries
about hardware or
software keyloggers and other spyware --- and physical surveillance. software keyloggers and other spyware --- and physical surveillance.
If the system lets you boot from a CD or from a USB key, you can gain If the system lets you boot from a CD or from a USB key, you can gain
@ -1088,7 +1140,7 @@ Bridge users without Tor clients
Bridge relays could always open their socks proxy. This is bad though, Bridge relays could always open their socks proxy. This is bad though,
firstly firstly
because they learn the bridge users' destinations, and secondly because because bridges learn the bridge users' destinations, and secondly because
we've learned that open socks proxies tend to attract abusive users who we've learned that open socks proxies tend to attract abusive users who
have no idea they're using Tor. have no idea they're using Tor.
@ -1098,12 +1150,25 @@ that require authentication and then pass the requests into Tor. This
approach is probably a good way to help bootstrap the Psiphon network, approach is probably a good way to help bootstrap the Psiphon network,
if one of its barriers to deployment is a lack of volunteers willing if one of its barriers to deployment is a lack of volunteers willing
to exit directly to websites. But it clearly drops some of the nice to exit directly to websites. But it clearly drops some of the nice
anonymity features Tor provides. anonymity and security features Tor provides.
\subsection{Publicity attracts attention} \subsection{Publicity attracts attention}
\label{subsec:publicity} \label{subsec:publicity}
both good and bad. Many people working on this field want to publicize the existence
and extent of censorship concurrently with the deployment of their
circumvention software. The easy reason for this two-pronged push is
to attract volunteers for running proxies in their systems; but in many
cases their main goal is not to build the software, but rather to educate
the world about the censorship. The media also tries to do its part by
broadcasting the existence of each new circumvention system.
But at the same time, this publicity attracts the attention of the
censors. We can slow down the arms race by not attracting as much
attention, and just spreading by word of mouth. If our goal is to
establish a solid social network of bridges and bridge users before
the adversary gets involved, does this attention tradeoff work to our
advantage?
\subsection{The Tor website: how to get the software} \subsection{The Tor website: how to get the software}
@ -1126,6 +1191,8 @@ the outside world, etc.
Hidden services as bridges. Hidden services as bridge directory authorities. Hidden services as bridges. Hidden services as bridge directory authorities.
\section{Conclusion}
\bibliographystyle{plain} \bibliography{tor-design} \bibliographystyle{plain} \bibliography{tor-design}
\appendix \appendix
@ -1164,7 +1231,7 @@ be a thing that human interacts with.
rate limiting mechanisms: rate limiting mechanisms:
energy spent. captchas. relaying traffic for others? energy spent. captchas. relaying traffic for others?
send us $10, we'll give you an account send us \$10, we'll give you an account
so how do we reward people for being good? so how do we reward people for being good?