----- Forwarded message from Paul Syverson ----- Date: Thu, 17 Oct 2013 06:56:41 -0400 From: Paul Syverson To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] New paper : Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries Message-ID: <20131017105641.GE83425@buridan.fw5540.net> User-Agent: Mutt/1.5.17 (2007-11-01) Reply-To: tor-talk@lists.torproject.org On Thu, Oct 17, 2013 at 10:46:57AM +0200, Andreas Krey wrote:

On Wed, 16 Oct 2013 19:42:41 +0000, Joe Btfsplk wrote: ...

...

One thing jumps out, Tor doesn't know for sure who's running Guard or exit nodes - & can't unless they start doing (regular, repeated) extensive personal interviews, background checks, giving polygraph tests, injecting sodium pentathol to those wanting to run nodes.

I think you slightly disregard who is actually interested in a trustworthy tor network. What you describe makes the tor operators a cabal, and the problem is that the ones who actually want to trust tor (the users) are outside that.

Besides, many attacks don't require to *run* the nodes, just to monitor its traffic. And a TLA can do that without the honest operator even suspecting.

Actually the work we did on this paper was as part of a larger program that has been our primary focus for the last several years: how can you secure communication over Tor against an adversary that can, e.g., own 30% of the nodes (or big chunk of guard and exit bandwidth) or large parts of the AS or other underlying network infrastructure. Our candidate is to leverage trust diversity in different parts of the network (e.g. trust based on who is running nodes on what hardware and what OS from what physical and network location, etc.) But this is tricky. One can't just use the most trusted parts of the network because this will probably indicate that this is statistically more likely to be communication from/to people that trust this part of the network. You need to get away from the idea of a single set of trust values for all users for the whole network. Different kinds of people will have different adversaries, which is just one factor to the diversity of trust. We've already got a few publications on this "More Anonymous Onion Routing Through Trust" by myself and Aaron Johnson and "Trust-based Anonymous Communication: Adversary Models and Routing Algorithms" by the two of us, plus Roger Dingledine and Nick Mathewson. You can find both on my homepage (syverson.org) The current paper under discussion came from the realization that we needed to have a much better handle on network models, tools and appropriate adversary models for the existing Tor network and usage in order to properly incorporate trust into routing for improved future design. HTH, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5