[Cryptography] NSA and Tor was Updates on Durov charges in France
Christian Huitema
huitema at huitema.net
Sat Sep 7 10:51:41 EDT 2024
On 9/6/2024 5:37 PM, Peter Fairbrother wrote:
> I am no expert on the minutiae of Tor, but I hear that setting up your
> own node to hide your own traffic is generally a bad idea.
All the anonymity schemes are based on "hiding a needle in a haystack".
Not just Tor, but also VPNs, TLS Encrypted Client Hello (ECH), oblivious
DNS, oblivious HTTP, etc. The idea is mixing a specific traffic flow
(the needle) in a large amount of unrelated traffic (the haystack) so
that the traffic cannot be identified out of the mixer. There are many
modes of failures, but the big one is if the mixer is working for the
enemy, if the haystack is too small or if the needle is too shiny.
There are problems with mitigating each of these threads.
To make sure that your mixer is not working for the enemy requires
authentication. Authenticating the server of course, verify that you are
connecting to a mixer that you trust, but also probably authenticating
the client. If the mixer is open to all comers, it risks being dossed.
That increases the cost of running a mixer, and in turn increases the
probability that many mixers in the network are just honey traps. There
may be technical solution to that one, e.g., the "Privacy Pass" work
(RFC 9576, 9577, 9578), but we do not have lots of operational experience.
The small haystack problem is very much the reason why "setting up your
own node to hide your own traffic is generally a bad idea". But small
mixers have a variation of the same problem. If they are not constantly
busy with lots of traffic, matching incoming and outgoing flows become
very simple. The bigger mixers suffer less from this problem --
Cloudflare probably has sufficient traffic to make ECH efficient, Apple
for making oblivious DNS work, maybe Mozilla for oblivious HTTP. But
relying on mega-scalers has its own problems: it contributes to more
concentration on the Internet, and even if we believe that these big
mixers are not somehow doing surveillance capitalism, they become an
attractive point for legal attacks. So maybe as a general practice we
ought to rely on a large number of medium size relays, instead of just a
few big ones.
If the traffic can be easily finger printed, "the needle is too shiny".
That's the property used for correlating traffic in and out of a mixer,
or correlating traffic at entry and exit points of Tor. There may be
counter measures such as injecting or removing chaff at intermediate
relays, or messing with the timing of packets, but these defenses are
currently quite weak. Machine learning techniques are very efficient for
efficient fingerprinting, even in the presence of noise. We certainly
need a lot more research there -- beating fingerprinting may well be the
next frontier of encryption!
-- Christian Huitema
More information about the cryptography
mailing list