Write remaining active attacks

svn:r711
2024-11-10 13:13:44 +01:00 · 2003-11-02 04:53:15 +00:00 · 2003-11-02 04:53:15 +00:00 · b0c6a5ea2e
commit b0c6a5ea2e
parent a91c6d27bf
2 changed files with 35 additions and 45 deletions
--- a/doc/TODO
+++ b/doc/TODO
@ -63,6 +63,8 @@ Short-term:
                        - make sure exiting from the not-last hop works
                        - logic to find last *open* hop, not last hop, in cpath
                        - choose exit nodes by exit policies
+        - Remember address and port when resolving. 
+        - Extend by nickname/hostname/something, not by IP.

 On-going
        . Better comments for functions!
--- a/doc/tor-design.tex
+++ b/doc/tor-design.tex
@ -1202,6 +1202,9 @@ Similarly, one could run automatic spam filtering software (such as
 SpamAssassin) on email exiting the OR network.  A generic
 intrusion detection system (IDS) could be adapted to these purposes.

+[XXX Mention possibility of filtering spam-like habits--e.g., many
+  recipients. -NM]
+
 ORs may also choose to rewrite exiting traffic in order to append
 headers or other information to indicate that the traffic has passed
 through an anonymity service.  This approach is commonly used, to some
@ -1705,7 +1708,11 @@ them.
  will have discarded the necessary information before the attack can
  be completed.  (Thanks to the perfect forward secrecy of session
  keys, the attacker cannot cannot force nodes to decrypt recorded
-  traffic once the circuits have been closed.)
+  traffic once the circuits have been closed.)  Additionally, building
+  circuits that cross jurisdictions can make legal coercion
+  harder---this phenomenon is commonly called ``jurisdictional
+  arbitrage.''
+
  
 \item \emph{Run a recipient.} By running a Web server, an adversary
  trivially learns the timing patterns of those connecting to it, and
@ -1748,8 +1755,10 @@ them.
  some user will choose one of those ORs for the start and another of
  those ORs as the end of a circuit.  When this happens, the user's
  anonymity is compromised for those circuits.  If an adversary can
-  control $m$ out of $N$ nodes, he will be able to correlate at most 
-  $\frac{m}{N}$ of the traffic in this way.
+  control $m$ out of $N$ nodes, he should be able to correlate at most 
+  $\frac{m}{N}$ of the traffic in this way---although an adersary
+  could possibly attract a disproportionately large amount of traffic
+  by running an exit node with an unusually permisssive exit policy.

 \item \emph{Compromise entire path.} Anyone compromising both
  endpoints of a circuit can confirm this with high probability. If
@ -1781,37 +1790,23 @@ them.
  the association. However, integrity checks on cells prevent
  this attack from succeeding.

-[XXXX Damn it's 5:10. So, I'm stopping here. Good luck with what's left
-tonight. Hopefully less than it looks. -PS]
+\item \emph{Replace contents of unauthenticated protocols.}  When a
+  relaying an unauthenticated protocol like HTTP, a hostile exit node 
+  can impersonate the target server.  Thus, whenever possible, clients
+  should prefer protocols with end-to-end authentication.

+\item \emph{Replay attacks.} Some anonymity protocols are vulnerable
+  to replay attacks.  Tor is not; replaying one side of a handshake
+  will result in a different negotiated session key, and so the rest
+  of the recorded session can't be used.  
+  % ``NonSSL Anonymizer''?

-\item sub of the above on exit policy\\
-Partitioning based on exit policy.
-
-Run a rare exit server/something other people won't allow.
-
-DOS three of the 4 who would allow a certain exit.
-
-
-
-Subcase of running a hostile node: 
-the exit node can change the content you're getting to try to
-trick you. similarly, when it rejects you due to exit policy,
-it could give you a bad IP that sends you somewhere else.
-\item \emph{replaying traffic} Can't in Tor. NonSSL anonymizer.
-
-\item Do bad things with the Tor network, so we are hated and
-get shut down. Now the user you want to watch has to use anonymizer.
-
-Exit policy's are a start.
-
-\item Send spam through the network. Exit policy (no open relay) and
-  rate limiting. We won't send to more than 8 people at a time.  See
-  section 5.1.
-
-we rely on DNS being globally consistent. if people in africa resolve
-IPs differently, then asking to extend a circuit to a certain IP can
-give away your origin.
+\item \emph{Smear attacks.} An attacker could use the Tor network to
+  engage in socially dissapproved acts, so as to try to bring the
+  entire network into disrepute and get its operators to shut it down.
+  Exit policies can help reduce the possibilities for abuse, but
+  ultimately, the network will require volunteers who can tolerate
+  some political heat.
 \end{tightlist}

 \subsubsection*{Directory attacks}
@ -1830,17 +1825,6 @@ keys)
 \end{tightlist}


-
-Basic 
-
-How well do we resist chosen adversary?
-
-How well do we meet stated goals?
-
-Mention jurisdictional arbitrage.
-
-Pull attacks and defenses into analysis as a subsection
-
 \Section{Open Questions in Low-latency Anonymity}
 \label{sec:maintaining-anonymity}
 
@ -2099,6 +2083,10 @@ issues remaining to be ironed out. In particular:
 %     'Authorizating' sounds great, but it isn't a word.
 %     'First, second, third', not 'Firstly, secondly, thirdly'.
 %     'circuit', not 'channel'
+%     Typography: no space on either side of an em dash---ever.
+%     Hyphens are for multi-part words; en dashs imply movement or
+%        opposition (The Alice--Bob connection); and em dashes are
+%        for punctuation---like that.
 %
 %     'Substitute ``Damn'' every time you're inclined to write ``very;'' your
 %     editor will delete it and the writing will be just as it should be.'