Folks, I have followed various discussions lately about the creation of reduced hop Tor clients that implement fewer than the three hops considered by Tor's design. Such clients represent an attack on Tor as a whole. Indeed, defenses against reduced hop clients leveraging the Tor network should be built into Tor's design to defend against this attack. Today and for the foreseeable future, Tor's network latency relates to the maximum latency that Tor users are willing to accept. As Tor gets faster, it attracts more users and more traffic, which in turn increases latency. As the Tor network increases in latency, it loses users for whom the latency becomes unacceptably high. Latency in turn relates to the number of hops. The more hops, the higher the latency. Which not coincidentally is why some with lower anonymity requirements may prefer fewer hops. Here is the catch: as traffic from those with lower anonymity and hop requirements increases, it drives the latency of three hop connections above the latency acceptable for those seeking higher anonymity. The end state, if lower than three hop implementations are permitted to use the Tor network, is that Tor's network performance will acceptable only to users of lower hop clients. This fact alone drives a need to block reduced hop clients from the network. But it gets worse. Many of those that would be satisfied with fewer hops engage in comparatively low risk behavior (which is why they are satisfied with lower anonymity), such as downloading large files of questionable origin. The protocols commonly used for such downloads can accept higher latency than the interactive protocols needed by the part of the user population seeking higher anonymity levels. Pushing the latency of three hop clients farther out of the usability envelope. Though the above is more than sufficient cause to block reduced hop clients from corrupting the Tor network, it deserves mention that single hop clients in particular remove the protection that Tor's design until now afforded to exit node operators. If only three hop clients can use the Tor network, the Tor exit node operator can be confident that capture of an exit hop's connection log will fail to provide the attacker with useful tracking information. This discourages both legal and illegal attacks on Tor exit hops and thus increases the overall number and capacity of Tor exits. Removing this protection will lead to an increase in attacks on exit hops, which in turn will lead to decreased exit capacity. Further negatively impacting Tor network latency. In summary, reduced hop clients are deleterious to Tor a whole and users with the level of anonymity that Tor was design to provide in particular. Users with lower anonymity needs should be guided towards the many other systems available today that provide lower anonymity than Tor. Most importantly, Tor should implement a (potentially blinded) hop verification that ensures that lower hop count clients cannot abuse the Tor network. --Lucky Green *********************************************************************** To unsubscribe, send an e-mail to majordomo@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE