On Wed, Oct 14, 2020, 11:03 PM Karl <[1]gmkarl@gmail.com> wrote: On Wed, Oct 14, 2020, 10:48 PM Peter Fairbrother <[2]peter@tsto.co.uk> wrote: On 14/10/2020 23:59, Karl wrote: > > > On Wed, Oct 14, 2020, 6:34 PM Peter Fairbrother wrote: > To put some BOTE numbers on that, suppose you want to provide for 1 > million concurrent users. You have about 150 TB per month user traffic > to play with (500 x 1TB, ~3 hops), 150 MB per month per user, or 450 > Baud. > > > Could you explain your math here? How did 500TB/3 (am I wrong?) become > 150MB? There are 500 raspberry pi's, each on the end of a 1TB/month link. That's 500 TB/month total traffic, but dividing by 3 we get approximately 150 TB/month user traffic. How about more routers if there are more users? With a million users at any time that's 150TB user traffic per month: divided by 1 million users that's 150MB per user per month. As they are concurrent users (the total number of users is higher, but at any time 1 million users are using the service) that is 150 million bytes per month per user divided by 2,592,000 seconds per month, which is 58 bytes per second per user or 463.32 baud. Looked at another way, if people always used an anonymity service the hops would multiply their traffic by say 5 times (3 times as in TOR is not enough). Covertraffic and file size I'm curious why you believe it to be not enough (two seems good enough to my quick guesses if traffic is constant, but I can't think worth beans); I'm happy to look at a reference. I thought about this a bit, realised some strong danger of only two hops, and realised that more hops are needed if an adversary is running many nodes. Brings ideas of blockchains, trust metrics, friend-to-friend networks. Bandwidth is /5. padding traffic would at least double that, so we would need at least 10 times the normal traffic the users created. I propose constant rate: cover traffic reduces as legitimate traffic increases. Would this work, do you think? And you ned a lot of traffic through your anonymisation network to get decent anonymity, you need a large anonymity set. Web traffic is expensive - making it at least ten times more expensive is not on, especially if nine tenths of it has to be paid for by someone else. That's not counting the servers etc - getting a pi to handle 386 kB/s [1] of anonymity traffic is not trivial, I don't even think it is possible. Mmm might need good bare metal algorithms. Easier to use the client device which has more CPU. [...] > Enforcing TLS is much more reasonable nowadays. (You could add a plugin > to use http tricks to hide file sizes.). Not what I would focus on once > it gets nonsimple. A good proportion of TOR traffic will be protected by TLS anyway, especially those sites which you might not want other people to know you are accessing. Visible file sizes are the main anonymity weakness in TOR. If you suspect someone you compare the file sizes of the traffic through their system with traffic through the exit nodes. Wouldn't using chaff to make your transfer rate relatively constant close almost all of this anonymity attack surface? In the UK at least it is legally fairly easy for the cops to demand that info (and most ISPs are legally required to obtain and store that data anyway) - getting everyone's traffic info where the cops have no suspect is a little harder, but not impossible. Of course the ordinary cops don't use that power, and the people who do use it don't want it known that they can do it, so you will find that they make up stories about reused passwords and the like being the source of their information. Peter Fairbrother [1] 1TB/month divided by 2,592,000s/month References 1. mailto:gmkarl@gmail.com 2. mailto:peter@tsto.co.uk