[Cryptography] NSA and Tor was Updates on Durov charges in France

Christian Huitema huitema at huitema.net
Sat Sep 7 10:51:41 EDT 2024


On 9/6/2024 5:37 PM, Peter Fairbrother wrote:
> I am no expert on the minutiae of Tor, but I hear that setting up your
> own node to hide your own traffic is generally a bad idea.


All the anonymity schemes are based on "hiding a needle in a haystack". 
Not just Tor, but also VPNs, TLS Encrypted Client Hello (ECH), oblivious 
DNS, oblivious HTTP, etc. The idea is mixing a specific traffic flow 
(the needle) in a large amount of unrelated traffic (the haystack) so 
that the traffic cannot be identified out of the mixer. There are many 
modes of failures, but the big one is if the mixer is working for the 
enemy,  if the haystack is too small or if the needle is too shiny. 
There are problems with mitigating each of these threads.

To make sure that your mixer is not working for the enemy requires 
authentication. Authenticating the server of course, verify that you are 
connecting to a mixer that you trust, but also probably authenticating 
the client. If the mixer is open to all comers, it risks being dossed. 
That increases the cost of running a mixer, and in turn increases the 
probability that many mixers in the network are just honey traps. There 
may be technical solution to that one, e.g., the "Privacy Pass" work 
(RFC 9576, 9577, 9578), but we do not have lots of operational experience.

The small haystack problem is very much the reason why "setting up your 
own node to hide your own traffic is generally a bad idea". But small 
mixers have a variation of the same problem. If they are not constantly 
busy with lots of traffic, matching incoming and outgoing flows become 
very simple. The bigger mixers suffer less from this problem -- 
Cloudflare probably has sufficient traffic to make ECH efficient, Apple 
for making oblivious DNS work, maybe Mozilla for oblivious HTTP. But 
relying on mega-scalers has its own problems: it contributes to more 
concentration on the Internet, and even if we believe that these big 
mixers are not somehow doing surveillance capitalism, they become an 
attractive point for legal attacks. So maybe as a general practice we 
ought to rely on a large number of medium size relays, instead of just a 
few big ones.

If the traffic can be easily finger printed, "the needle is too shiny". 
That's the property used for correlating traffic in and out of a mixer, 
or correlating traffic at entry and exit points of Tor. There may be 
counter measures such as injecting or removing chaff at intermediate 
relays, or messing with the timing of packets, but these defenses are 
currently quite weak. Machine learning techniques are very efficient for 
efficient fingerprinting, even in the presence of noise. We certainly 
need a lot more research there -- beating fingerprinting may well be the 
next frontier of encryption!

-- Christian Huitema




More information about the cryptography mailing list