mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 12:23:32 +01:00
Write remaining active attacks
svn:r711
This commit is contained in:
parent
a91c6d27bf
commit
b0c6a5ea2e
2
doc/TODO
2
doc/TODO
@ -63,6 +63,8 @@ Short-term:
|
|||||||
- make sure exiting from the not-last hop works
|
- make sure exiting from the not-last hop works
|
||||||
- logic to find last *open* hop, not last hop, in cpath
|
- logic to find last *open* hop, not last hop, in cpath
|
||||||
- choose exit nodes by exit policies
|
- choose exit nodes by exit policies
|
||||||
|
- Remember address and port when resolving.
|
||||||
|
- Extend by nickname/hostname/something, not by IP.
|
||||||
|
|
||||||
On-going
|
On-going
|
||||||
. Better comments for functions!
|
. Better comments for functions!
|
||||||
|
@ -945,7 +945,7 @@ their bandwidth usage. To accomodate them, Tor servers use a token
|
|||||||
bucket approach to limit the number of bytes they
|
bucket approach to limit the number of bytes they
|
||||||
receive. Tokens are added to the bucket each second (when the bucket is
|
receive. Tokens are added to the bucket each second (when the bucket is
|
||||||
full, new tokens are discarded.) Each token represents permission to
|
full, new tokens are discarded.) Each token represents permission to
|
||||||
receive one byte from the network --- to receive a byte, the connection
|
receive one byte from the network---to receive a byte, the connection
|
||||||
must remove a token from the bucket. Thus if the bucket is empty, that
|
must remove a token from the bucket. Thus if the bucket is empty, that
|
||||||
connection must wait until more tokens arrive. The number of tokens we
|
connection must wait until more tokens arrive. The number of tokens we
|
||||||
add enforces a long-term average rate of incoming bytes, while still
|
add enforces a long-term average rate of incoming bytes, while still
|
||||||
@ -1202,6 +1202,9 @@ Similarly, one could run automatic spam filtering software (such as
|
|||||||
SpamAssassin) on email exiting the OR network. A generic
|
SpamAssassin) on email exiting the OR network. A generic
|
||||||
intrusion detection system (IDS) could be adapted to these purposes.
|
intrusion detection system (IDS) could be adapted to these purposes.
|
||||||
|
|
||||||
|
[XXX Mention possibility of filtering spam-like habits--e.g., many
|
||||||
|
recipients. -NM]
|
||||||
|
|
||||||
ORs may also choose to rewrite exiting traffic in order to append
|
ORs may also choose to rewrite exiting traffic in order to append
|
||||||
headers or other information to indicate that the traffic has passed
|
headers or other information to indicate that the traffic has passed
|
||||||
through an anonymity service. This approach is commonly used, to some
|
through an anonymity service. This approach is commonly used, to some
|
||||||
@ -1298,7 +1301,7 @@ and are discussed more in section~\ref{sec:maintaining-anonymity}.
|
|||||||
|
|
||||||
Of course, a variety of attacks remain. An adversary who controls a
|
Of course, a variety of attacks remain. An adversary who controls a
|
||||||
directory server can track certain clients by providing different
|
directory server can track certain clients by providing different
|
||||||
information --- perhaps by listing only nodes under its control
|
information---perhaps by listing only nodes under its control
|
||||||
as working, or by informing only certain clients about a given
|
as working, or by informing only certain clients about a given
|
||||||
node. Moreover, an adversary without control of a directory server can
|
node. Moreover, an adversary without control of a directory server can
|
||||||
still exploit differences among client knowledge. If Eve knows that
|
still exploit differences among client knowledge. If Eve knows that
|
||||||
@ -1705,7 +1708,11 @@ them.
|
|||||||
will have discarded the necessary information before the attack can
|
will have discarded the necessary information before the attack can
|
||||||
be completed. (Thanks to the perfect forward secrecy of session
|
be completed. (Thanks to the perfect forward secrecy of session
|
||||||
keys, the attacker cannot cannot force nodes to decrypt recorded
|
keys, the attacker cannot cannot force nodes to decrypt recorded
|
||||||
traffic once the circuits have been closed.)
|
traffic once the circuits have been closed.) Additionally, building
|
||||||
|
circuits that cross jurisdictions can make legal coercion
|
||||||
|
harder---this phenomenon is commonly called ``jurisdictional
|
||||||
|
arbitrage.''
|
||||||
|
|
||||||
|
|
||||||
\item \emph{Run a recipient.} By running a Web server, an adversary
|
\item \emph{Run a recipient.} By running a Web server, an adversary
|
||||||
trivially learns the timing patterns of those connecting to it, and
|
trivially learns the timing patterns of those connecting to it, and
|
||||||
@ -1748,8 +1755,10 @@ them.
|
|||||||
some user will choose one of those ORs for the start and another of
|
some user will choose one of those ORs for the start and another of
|
||||||
those ORs as the end of a circuit. When this happens, the user's
|
those ORs as the end of a circuit. When this happens, the user's
|
||||||
anonymity is compromised for those circuits. If an adversary can
|
anonymity is compromised for those circuits. If an adversary can
|
||||||
control $m$ out of $N$ nodes, he will be able to correlate at most
|
control $m$ out of $N$ nodes, he should be able to correlate at most
|
||||||
$\frac{m}{N}$ of the traffic in this way.
|
$\frac{m}{N}$ of the traffic in this way---although an adersary
|
||||||
|
could possibly attract a disproportionately large amount of traffic
|
||||||
|
by running an exit node with an unusually permisssive exit policy.
|
||||||
|
|
||||||
\item \emph{Compromise entire path.} Anyone compromising both
|
\item \emph{Compromise entire path.} Anyone compromising both
|
||||||
endpoints of a circuit can confirm this with high probability. If
|
endpoints of a circuit can confirm this with high probability. If
|
||||||
@ -1781,37 +1790,23 @@ them.
|
|||||||
the association. However, integrity checks on cells prevent
|
the association. However, integrity checks on cells prevent
|
||||||
this attack from succeeding.
|
this attack from succeeding.
|
||||||
|
|
||||||
[XXXX Damn it's 5:10. So, I'm stopping here. Good luck with what's left
|
\item \emph{Replace contents of unauthenticated protocols.} When a
|
||||||
tonight. Hopefully less than it looks. -PS]
|
relaying an unauthenticated protocol like HTTP, a hostile exit node
|
||||||
|
can impersonate the target server. Thus, whenever possible, clients
|
||||||
|
should prefer protocols with end-to-end authentication.
|
||||||
|
|
||||||
|
\item \emph{Replay attacks.} Some anonymity protocols are vulnerable
|
||||||
|
to replay attacks. Tor is not; replaying one side of a handshake
|
||||||
|
will result in a different negotiated session key, and so the rest
|
||||||
|
of the recorded session can't be used.
|
||||||
|
% ``NonSSL Anonymizer''?
|
||||||
|
|
||||||
\item sub of the above on exit policy\\
|
\item \emph{Smear attacks.} An attacker could use the Tor network to
|
||||||
Partitioning based on exit policy.
|
engage in socially dissapproved acts, so as to try to bring the
|
||||||
|
entire network into disrepute and get its operators to shut it down.
|
||||||
Run a rare exit server/something other people won't allow.
|
Exit policies can help reduce the possibilities for abuse, but
|
||||||
|
ultimately, the network will require volunteers who can tolerate
|
||||||
DOS three of the 4 who would allow a certain exit.
|
some political heat.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Subcase of running a hostile node:
|
|
||||||
the exit node can change the content you're getting to try to
|
|
||||||
trick you. similarly, when it rejects you due to exit policy,
|
|
||||||
it could give you a bad IP that sends you somewhere else.
|
|
||||||
\item \emph{replaying traffic} Can't in Tor. NonSSL anonymizer.
|
|
||||||
|
|
||||||
\item Do bad things with the Tor network, so we are hated and
|
|
||||||
get shut down. Now the user you want to watch has to use anonymizer.
|
|
||||||
|
|
||||||
Exit policy's are a start.
|
|
||||||
|
|
||||||
\item Send spam through the network. Exit policy (no open relay) and
|
|
||||||
rate limiting. We won't send to more than 8 people at a time. See
|
|
||||||
section 5.1.
|
|
||||||
|
|
||||||
we rely on DNS being globally consistent. if people in africa resolve
|
|
||||||
IPs differently, then asking to extend a circuit to a certain IP can
|
|
||||||
give away your origin.
|
|
||||||
\end{tightlist}
|
\end{tightlist}
|
||||||
|
|
||||||
\subsubsection*{Directory attacks}
|
\subsubsection*{Directory attacks}
|
||||||
@ -1830,17 +1825,6 @@ keys)
|
|||||||
\end{tightlist}
|
\end{tightlist}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Basic
|
|
||||||
|
|
||||||
How well do we resist chosen adversary?
|
|
||||||
|
|
||||||
How well do we meet stated goals?
|
|
||||||
|
|
||||||
Mention jurisdictional arbitrage.
|
|
||||||
|
|
||||||
Pull attacks and defenses into analysis as a subsection
|
|
||||||
|
|
||||||
\Section{Open Questions in Low-latency Anonymity}
|
\Section{Open Questions in Low-latency Anonymity}
|
||||||
\label{sec:maintaining-anonymity}
|
\label{sec:maintaining-anonymity}
|
||||||
|
|
||||||
@ -2099,6 +2083,10 @@ issues remaining to be ironed out. In particular:
|
|||||||
% 'Authorizating' sounds great, but it isn't a word.
|
% 'Authorizating' sounds great, but it isn't a word.
|
||||||
% 'First, second, third', not 'Firstly, secondly, thirdly'.
|
% 'First, second, third', not 'Firstly, secondly, thirdly'.
|
||||||
% 'circuit', not 'channel'
|
% 'circuit', not 'channel'
|
||||||
|
% Typography: no space on either side of an em dash---ever.
|
||||||
|
% Hyphens are for multi-part words; en dashs imply movement or
|
||||||
|
% opposition (The Alice--Bob connection); and em dashes are
|
||||||
|
% for punctuation---like that.
|
||||||
%
|
%
|
||||||
% 'Substitute ``Damn'' every time you're inclined to write ``very;'' your
|
% 'Substitute ``Damn'' every time you're inclined to write ``very;'' your
|
||||||
% editor will delete it and the writing will be just as it should be.'
|
% editor will delete it and the writing will be just as it should be.'
|
||||||
|
Loading…
Reference in New Issue
Block a user