mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
throw down the gauntlet.
svn:r3491
This commit is contained in:
parent
44f6300c8c
commit
5675ae0407
@ -235,6 +235,7 @@ seems overkill (and/or insecure) based on the threat model we've picked.
|
|||||||
% this para should probably move to the scalability / directory system. -RD
|
% this para should probably move to the scalability / directory system. -RD
|
||||||
|
|
||||||
\section{Threat model}
|
\section{Threat model}
|
||||||
|
\label{sec:threat-model}
|
||||||
|
|
||||||
Tor does not attempt to defend against a global observer. Any adversary who
|
Tor does not attempt to defend against a global observer. Any adversary who
|
||||||
can see a user's connection to the Tor network, and who can see the
|
can see a user's connection to the Tor network, and who can see the
|
||||||
@ -243,8 +244,8 @@ correlation between the two connections to confirm the user's chosen
|
|||||||
communication partners. Defeating this attack would seem to require
|
communication partners. Defeating this attack would seem to require
|
||||||
introducing a prohibitive degree of traffic padding between the user and the
|
introducing a prohibitive degree of traffic padding between the user and the
|
||||||
network, or introducing an unacceptable degree of latency (but see
|
network, or introducing an unacceptable degree of latency (but see
|
||||||
\ref{subsec:mid-latency} below). Thus, Tor only
|
Section \ref{subsec:mid-latency}). Thus, Tor only
|
||||||
attempts to defend against external observers who can observe both sides of a
|
attempts to defend against external observers who cannot observe both sides of a
|
||||||
user's connection.
|
user's connection.
|
||||||
|
|
||||||
Against internal attackers, who sign up Tor servers, the situation is more
|
Against internal attackers, who sign up Tor servers, the situation is more
|
||||||
@ -279,7 +280,7 @@ complicating factors:
|
|||||||
% Sure. In fact, better off, since they seem to scale more easily. -rd
|
% Sure. In fact, better off, since they seem to scale more easily. -rd
|
||||||
|
|
||||||
in practice tor's threat model is based entirely on the goal of dispersal
|
in practice tor's threat model is based entirely on the goal of dispersal
|
||||||
and diversity. george and steven describe an attack \cite{draft} that
|
and diversity. george and steven describe an attack \cite{attack-tor-oak05} that
|
||||||
lets them determine the nodes used in a circuit; yet they can't identify
|
lets them determine the nodes used in a circuit; yet they can't identify
|
||||||
alice or bob through this attack. so it's really just the endpoints that
|
alice or bob through this attack. so it's really just the endpoints that
|
||||||
remain secure. and the enclave model seems particularly threatened by
|
remain secure. and the enclave model seems particularly threatened by
|
||||||
@ -317,43 +318,75 @@ Tor's interaction with other services on the Internet.
|
|||||||
|
|
||||||
\subsection{Image and security}
|
\subsection{Image and security}
|
||||||
|
|
||||||
Image: substantial non-infringing uses. Image is a security parameter,
|
A growing field of papers argue that usability for anonymity systems
|
||||||
since it impacts user base and perceived sustainability.
|
contributes directly to their security, because how usable the system
|
||||||
|
is impacts the possible anonymity set~\cite{back01,econymics}. Or
|
||||||
|
conversely, an unusable system attracts few users and thus can't provide
|
||||||
|
much anonymity.
|
||||||
|
|
||||||
good uses are kept private, bad uses are publicized. not good.
|
This phenomenon has a second-order effect: knowing this, users should
|
||||||
|
choose which anonymity system to use based in part on how usable
|
||||||
|
\emph{others} will find it, in order to get the protection of a larger
|
||||||
|
anonymity set. Thus we might replace the adage ``usability is a security
|
||||||
|
parameter''~\cite{back01} with a new one: ``perceived usability is a
|
||||||
|
security parameter.'' From here we can better understand the effects
|
||||||
|
of publicity and advertising on security: the more convincing your
|
||||||
|
advertising, the more likely people will believe you have users, and thus
|
||||||
|
the more users you will attract. Perversely, over-hyped systems (if they
|
||||||
|
are not too broken) may be a better choice than modestly promoted ones,
|
||||||
|
if the hype attracts more users~\cite{usability-network-effect}.
|
||||||
|
|
||||||
Public perception, and thus advertising, is a security parameter.
|
So it follows that we should come up with ways to accurately communicate
|
||||||
|
the available security levels to the user, so she can make informed
|
||||||
|
decisions. Dresden's JAP project aims to do this, by including a
|
||||||
|
comforting `anonymity meter' dial in the software's graphical interface,
|
||||||
|
giving the user an impression of the level of protection for her current
|
||||||
|
traffic.
|
||||||
|
|
||||||
users do not correlate to anonymity. arma will do this.
|
However, there's a catch. For users to share the same anonymity set,
|
||||||
Communicating security levels to the user
|
they need to act like each other. An attacker who can distinguish
|
||||||
A Tor gui, how jap's gui is nice but does not reflect the security
|
a given user's traffic from the rest of the traffic will not be
|
||||||
they provide.
|
distracted by other users on the network. For high-latency systems like
|
||||||
|
Mixminion, where the threat model is based on mixing messages with each
|
||||||
|
other, there's an arms race between end-to-end statistical attacks and
|
||||||
|
counter-strategies~\cite{statistical-disclosure,minion-design,e2e-traffic,trickle02}.
|
||||||
|
But for low-latency systems like Tor, end-to-end \emph{traffic
|
||||||
|
confirmation} attacks~\cite{danezis-pet2004,SS03,defensive-dropping}
|
||||||
|
allow an attacker who watches or controls both ends of a communication
|
||||||
|
to use statistics to correlate packet timing and volume, quickly linking
|
||||||
|
the initiator to her destination. This is why Tor's threat model is
|
||||||
|
based on preventing the adversary from observing both the initiator and
|
||||||
|
the responder.
|
||||||
|
|
||||||
\subsection{Usability and bandwidth and sustainability and incentives}
|
Like Tor, the current JAP implementation does not pad connections
|
||||||
|
(apart from using small fixed-size cells for transport). In fact,
|
||||||
|
its cascade-based network toplogy may be even more vulnerable to these
|
||||||
|
attacks, because the network has fewer endpoints. JAP was born out of
|
||||||
|
the ISDN mix design~\cite{isdn-mixes}, where padding made sense because
|
||||||
|
every user had a fixed bandwidth allocation, but in its current context
|
||||||
|
as a general Internet web anonymizer, adding sufficient padding to JAP
|
||||||
|
would be prohibitively expensive.\footnote{Even if they could find and
|
||||||
|
maintain extra funding to run higher-capacity nodes, our experience with
|
||||||
|
users suggests that many users would not accept the increased per-user
|
||||||
|
bandwidth requirements, leading to an overall much smaller user base. But
|
||||||
|
see Section \ref{subsec:mid-latency}.} Therefore, since under this threat
|
||||||
|
model the number of concurrent users does not seem to have much impact
|
||||||
|
on the anonymity provided, we suggest that JAP's anonymity meter is not
|
||||||
|
correctly communicating security levels to its users.
|
||||||
|
|
||||||
low-pain-threshold users go away until all users are willing to use it
|
On the other hand, while the number of active concurrent users may not
|
||||||
|
matter as much as we'd like, it still helps to have some other users
|
||||||
Sustainability. Previous attempts have been commercial which we think
|
who use the network. We investigate this issue in the next section.
|
||||||
adds a lot of unnecessary complexity and accountability. Freedom didn't
|
|
||||||
collect enough money to pay its servers; JAP bandwidth is supported by
|
|
||||||
continued money, and they periodically ask what they will do when it
|
|
||||||
dries up.
|
|
||||||
|
|
||||||
"outside of academia, jap has just lost, permanently"
|
|
||||||
|
|
||||||
Usability: fc03 paper was great, except the lower latency you are the
|
|
||||||
less useful it seems it is.
|
|
||||||
|
|
||||||
[nick will write this section]
|
|
||||||
|
|
||||||
\subsection{Reputability}
|
\subsection{Reputability}
|
||||||
|
|
||||||
Yet another factor in the safety of a given network is its reputability:
|
Another factor impacting the network's security is its reputability:
|
||||||
the perception of its social value based on its current users. If I'm
|
the perception of its social value based on its current user base. If I'm
|
||||||
the only user of a system, it might be socially accepted, but I'm not
|
the only user who has ever downloaded the software, it might be socially
|
||||||
getting any anonymity. Add a thousand Communists, and I'm anonymous,
|
accepted, but I'm not getting much anonymity. Add a thousand Communists,
|
||||||
but everyone thinks I'm a Commie. Add a thousand random citizens (cancer
|
and I'm anonymous, but everyone thinks I'm a Commie. Add a thousand
|
||||||
survivors, privacy enthusiasts, and so on) and now I'm hard to profile.
|
random citizens (cancer survivors, privacy enthusiasts, and so on)
|
||||||
|
and now I'm harder to profile.
|
||||||
|
|
||||||
The more cancer survivors on Tor, the better for the human rights
|
The more cancer survivors on Tor, the better for the human rights
|
||||||
activists. The more script kiddies, the worse for the normal users. Thus,
|
activists. The more script kiddies, the worse for the normal users. Thus,
|
||||||
@ -370,11 +403,30 @@ involved when it comes to anonymity. To follow the above example, a
|
|||||||
network used entirely by cancer survivors might welcome some Communists
|
network used entirely by cancer survivors might welcome some Communists
|
||||||
onto the network, though of course they'd prefer a wider variety of users.
|
onto the network, though of course they'd prefer a wider variety of users.
|
||||||
|
|
||||||
|
Reputability becomes even more tricky in the case of privacy networks,
|
||||||
|
since the good uses of the network (such as publishing by journalists in
|
||||||
|
dangerous countries) are typically kept private, whereas network abuses
|
||||||
|
or other problems tend to be more widely publicized.
|
||||||
|
|
||||||
The impact of public perception on security is especially important
|
The impact of public perception on security is especially important
|
||||||
during the bootstrapping phase of the network, where the first few
|
during the bootstrapping phase of the network, where the first few
|
||||||
widely publicized uses of the network can dictate the types of users it
|
widely publicized uses of the network can dictate the types of users it
|
||||||
attracts next.
|
attracts next.
|
||||||
|
|
||||||
|
\subsection{Usability and bandwidth and sustainability and incentives}
|
||||||
|
|
||||||
|
low-pain-threshold users go away until all users are willing to use it
|
||||||
|
|
||||||
|
Sustainability. Previous attempts have been commercial which we think
|
||||||
|
adds a lot of unnecessary complexity and accountability. Freedom didn't
|
||||||
|
collect enough money to pay its servers; JAP bandwidth is supported by
|
||||||
|
continued money, and they periodically ask what they will do when it
|
||||||
|
dries up.
|
||||||
|
|
||||||
|
"outside of academia, jap has just lost, permanently"
|
||||||
|
|
||||||
|
[nick will write this section]
|
||||||
|
|
||||||
\subsection{Tor and file-sharing}
|
\subsection{Tor and file-sharing}
|
||||||
|
|
||||||
[nick will write this section]
|
[nick will write this section]
|
||||||
|
@ -1151,12 +1151,24 @@
|
|||||||
title = {Synchronous Batching: From Cascades to Free Routes},
|
title = {Synchronous Batching: From Cascades to Free Routes},
|
||||||
author = {Roger Dingledine and Vitaly Shmatikov and Paul Syverson},
|
author = {Roger Dingledine and Vitaly Shmatikov and Paul Syverson},
|
||||||
booktitle = {Proceedings of Privacy Enhancing Technologies workshop (PET 2004)},
|
booktitle = {Proceedings of Privacy Enhancing Technologies workshop (PET 2004)},
|
||||||
|
editor = {David Martin and Andrei Serjantov},
|
||||||
year = {2004},
|
year = {2004},
|
||||||
month = {May},
|
month = {May},
|
||||||
series = {LNCS},
|
series = {LNCS},
|
||||||
note = {\url{http://freehaven.net/doc/sync-batching/sync-batching.pdf}},
|
note = {\url{http://freehaven.net/doc/sync-batching/sync-batching.pdf}},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@InProceedings{e2e-traffic,
|
||||||
|
author = "Nick Mathewson and Roger Dingledine",
|
||||||
|
title = "Practical Traffic Analysis: Extending and Resisting Statistical Disclosure",
|
||||||
|
booktitle= {Privacy Enhancing Technologies (PET 2004)},
|
||||||
|
editor = {David Martin and Andrei Serjantov},
|
||||||
|
month = {May},
|
||||||
|
year = {2004},
|
||||||
|
series = {LNCS},
|
||||||
|
note = {\url{http://freehaven.net/doc/e2e-traffic/e2e-traffic.pdf}},
|
||||||
|
}
|
||||||
|
|
||||||
@Misc{dtls,
|
@Misc{dtls,
|
||||||
author = {E. Rescorla and N. Modadugu},
|
author = {E. Rescorla and N. Modadugu},
|
||||||
title = {{Datagram Transport Layer Security}},
|
title = {{Datagram Transport Layer Security}},
|
||||||
@ -1166,6 +1178,14 @@
|
|||||||
note = {\url{http://www.ietf.org/internet-drafts/draft-rescorla-dtls-02.txt}},
|
note = {\url{http://www.ietf.org/internet-drafts/draft-rescorla-dtls-02.txt}},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@InProceedings{usability-network-effect,
|
||||||
|
author={Roger Dingledine and Nick Mathewson},
|
||||||
|
title={Anonymity Loves Company: Usability and the Network Effect},
|
||||||
|
booktitle = {Designing Security Systems That People Can Use},
|
||||||
|
year = {2005},
|
||||||
|
publisher = {O'Reilly Media},
|
||||||
|
}
|
||||||
|
|
||||||
%%% Local Variables:
|
%%% Local Variables:
|
||||||
%%% mode: latex
|
%%% mode: latex
|
||||||
%%% TeX-master: "tor-design"
|
%%% TeX-master: "tor-design"
|
||||||
|
Loading…
Reference in New Issue
Block a user