diff options
author | Roger Dingledine <arma@torproject.org> | 2006-11-08 07:34:42 +0000 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2006-11-08 07:34:42 +0000 |
commit | 70d9e958ae5919f17860640ab01a735ce175960e (patch) | |
tree | b9a4068627dec1e7a9fe292b362ef3b81db9fca4 | |
parent | b7b97088a1bd60aa1599c52d70ce7ccbc9a5609f (diff) | |
download | tor-70d9e958ae5919f17860640ab01a735ce175960e.tar.gz tor-70d9e958ae5919f17860640ab01a735ce175960e.zip |
touchups. hope i didn't clobber too much of nick's plans.
svn:r8920
-rw-r--r-- | doc/design-paper/blocking.tex | 63 |
1 files changed, 45 insertions, 18 deletions
diff --git a/doc/design-paper/blocking.tex b/doc/design-paper/blocking.tex index 7c167b58c9..6b8b7f6de1 100644 --- a/doc/design-paper/blocking.tex +++ b/doc/design-paper/blocking.tex @@ -60,8 +60,8 @@ Historically, research on anonymizing systems has focused on a passive attacker who monitors the user (call her Alice) and tries to discover her activities, yet lets her reach any piece of the network. In more modern threat models such as Tor's, the adversary is allowed to perform active -attacks such as modifying communications in hopes of tricking Alice -into revealing her destination, or intercepting some of her connections +attacks such as modifying communications to trick Alice +into revealing her destination, or intercepting some connections to run a man-in-the-middle attack. But these systems still assume that Alice can eventually reach the anonymizing network. @@ -108,8 +108,7 @@ whistleblowers in firewalled corporate network; and for people in unanticipated oppressive situations. In fact, by designing with a variety of adversaries in mind, we can take advantage of the fact that adversaries will be in different stages of the arms race at each location, -and thereby retain partial utility in servers even when they are blocked -by some of the adversaries. +so a server blocked in one locale can still be useful in others. We assume there are three main network attacks in use by censors currently~\cite{clayton:pet2006}: @@ -124,8 +123,8 @@ destination hostnames. \end{tightlist} We assume the network firewall has limited CPU and memory per -connection~\cite{clayton:pet2006}. Against an adversary who spends -hours looking through the contents of each packet, we would need +connection~\cite{clayton:pet2006}. Against an adversary who carefully +examines the contents of every packet, we would need some stronger mechanism such as steganography, which introduces its own problems~\cite{active-wardens,tcpstego,bar}. @@ -303,7 +302,7 @@ Relay-based blocking-resistance schemes generally have two main components: a relay component and a discovery component. The relay part encompasses the process of establishing a connection, sending traffic back and forth, and so on---everything that's done once the user knows -where he's going to connect. Discovery is the step before that: the +where she's going to connect. Discovery is the step before that: the process of finding one or more usable relays. For example, we can divide the pieces of Tor in the previous section @@ -316,7 +315,8 @@ in mind, we now examine several categories of relay-based schemes. Existing commercial anonymity solutions (like Anonymizer.com) are based on a set of single-hop proxies. In these systems, each user connects to -a single proxy, which then relays the user's traffic. These public proxy +a single proxy, which then relays traffic between the user and her +destination. These public proxy systems are typically characterized by two features: they control and operate the proxies centrally, and many different users get assigned to each proxy. @@ -393,8 +393,9 @@ some cases he may know and trust some people on the outside, but in many cases he's just out of luck. Just as hard, how does a new volunteer in Ohio find a person in China who needs it? -%discovery is also hard because the hosts keep vanishing if they're -%on dynamic ip. But not so bad, since they can use dyndns addresses. +% another key feature of a proxy run by your uncle is that you +% self-censor, so you're unlikely to bring abuse complaints onto +% your uncle. self-censoring clearly has a downside too, though. This challenge leads to a hybrid design---centrally-distributed personal proxies---which we will investigate in more detail in @@ -467,7 +468,7 @@ this idea when we consider whether and how to publicize a Tor variant that improves blocking-resistance---see Section~\ref{subsec:publicity} for more discussion.) -The broader explanation is that the maintainance of most government-level +The broader explanation is that the maintainance of most government-level filters is aimed at stopping widespread information flow and appearing to be in control, not by the impossible goal of blocking all possible ways to bypass censorship. Censors realize that there will always @@ -690,6 +691,9 @@ cat-and-mouse game is made more complex by the fact that Tor transports a variety of protocols, and we'll want to automatically handle web browsing differently from, say, instant messaging. +% Tor cells are 512 bytes each. So TLS records will be roughly +% multiples of this size? How bad is this? + \subsection{Identity keys as part of addressing information} We have described a way for the blocked user to bootstrap into the @@ -751,7 +755,7 @@ upcoming Psiphon single-hop proxy tool~\cite{psiphon} plans to use this There are some variations on bootstrapping in this design. In the simple case, the operator of the bridge informs each chosen user about his -bridge's address information and/or keys. Another approach involves +bridge's address information and/or keys. A different approach involves blocked users introducing new blocked users to the bridges they know. That is, somebody in the blocked area can pass along a bridge's address to somebody else they trust. This scheme brings in appealing but complex game @@ -777,14 +781,13 @@ on the first by encouraging volunteers to run several bridges at once (or coordinate with other bridge volunteers), such that some fraction of the bridges are likely to be available at any given time. -The blocked user's Tor client could periodically fetch an updated set of +The blocked user's Tor client would periodically fetch an updated set of recommended bridges from any of the working bridges. Now the client can learn new additions to the bridge pool, and can expire abandoned bridges or bridges that the adversary has blocked, without the user ever needing -to care. To simplify maintenance of the community's bridge pool, rather -than mirroring all of the information at each bridge, each community -could instead run its own bridge directory authority (accessed via the -available bridges), +to care. To simplify maintenance of the community's bridge pool, each +community could run its own bridge directory authority---accessed via +the available bridges, or mirrored at each bridge. \subsection{Social networks with directory-side support} @@ -1002,6 +1005,11 @@ progress reports. The above geoip-based approach to detecting blocked bridges gives us a solution though. +\subsection{Advantages of deploying all solutions at once} + +For once we're not in the position of the defender: we don't have to +defend against every possible filtering scheme, we just have to defend +against at least one. \section{Security considerations} \label{sec:security} @@ -1059,6 +1067,11 @@ lot of the decision rests on which attacks the users are most worried about. For most users, we don't think running a bridge relay will be that damaging. +Need to examine how entry guards fit in. If the blocked user doesn't use +the bridge's entry guards, then the bridge doesn't gain as much cover +benefit. If he does, first how does that actually work, and second is +it turtles all the way down (need to use the guard's guards, ...)? + \subsection{Trusting local hardware: Internet cafes and LiveCDs} \label{subsec:cafes-and-livecds} @@ -1201,7 +1214,10 @@ servers.) \subsection{What if the clients can't install software?} -Bridge users without Tor clients +[this section should probably move to the related work section, +or just disappear entirely.] + +Bridge users without Tor software Bridge relays could always open their socks proxy. This is bad though, first @@ -1217,6 +1233,10 @@ if one of its barriers to deployment is a lack of volunteers willing to exit directly to websites. But it clearly drops some of the nice anonymity and security features Tor provides. +A hybrid approach where the user gets his anonymity from Tor but his +software-less use from a web proxy running on a trusted machine on the +free side. + \subsection{Publicity attracts attention} \label{subsec:publicity} @@ -1258,6 +1278,13 @@ Hidden services as bridges. Hidden services as bridge directory authorities. \section{Conclusion} +a technical solution won't solve the whole problem. after all, china's +firewall is *socially* very successful, even if technologies exist to +get around it. + +but having a strong technical solution is still useful as a piece of the +puzzle. + \bibliographystyle{plain} \bibliography{tor-design} \appendix |