summaryrefslogtreecommitdiff
path: root/doc/design-paper
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2005-02-08 01:57:19 +0000
committerRoger Dingledine <arma@torproject.org>2005-02-08 01:57:19 +0000
commit51784c419195a544a93cf5cafa24e1df26d3b517 (patch)
tree5cc12d3aa18e3cc7f0c3578a88800b73b0973d19 /doc/design-paper
parentaed5aae534ebb9571774e285a268d390219a869a (diff)
downloadtor-51784c419195a544a93cf5cafa24e1df26d3b517.tar.gz
tor-51784c419195a544a93cf5cafa24e1df26d3b517.zip
give us page numbers, cut some more
svn:r3578
Diffstat (limited to 'doc/design-paper')
-rw-r--r--doc/design-paper/challenges.tex64
1 files changed, 5 insertions, 59 deletions
diff --git a/doc/design-paper/challenges.tex b/doc/design-paper/challenges.tex
index 339a79cc00..8c158a6916 100644
--- a/doc/design-paper/challenges.tex
+++ b/doc/design-paper/challenges.tex
@@ -30,7 +30,7 @@ Naval Research Lab \email{<syverson@itd.nrl.navy.mil>}}
\maketitle
-\pagestyle{empty}
+%\pagestyle{empty}
\begin{abstract}
There are many unexpected or unexpectedly difficult obstacles to
@@ -891,16 +891,14 @@ mix-networks resist these attacks by introducing variability into message
arrival times: as timing variance increases, timing correlation attacks
require increasingly more data~\cite{e2e-traffic}. Can we improve Tor's
resistance to these attacks without losing too much usability?
-%by introducing batching
-%and delaying strategies to the Tor messages?
First, we need to learn whether we can trade a small increase in latency
for a large anonymity increase, or if we'll end up trading a lot of
latency for a small security gain. It would be worthwhile even if we
can only protect certain use cases, such as infrequent short-duration
-transactions. In order to answer this question, we might
-try to adapt the techniques of~\cite{e2e-traffic} to a lower-latency mix
-network, where instead of sending messages, users send batches
+transactions. To answer this question, we might
+adapt the techniques of~\cite{e2e-traffic} to a lower-latency mix
+network, where the messages are batches
of cells in temporally clustered connections.
Once the anonymity questions are answered, we need to consider usability. If
@@ -944,7 +942,6 @@ mid-latency option; however, we should continue the caution with which
we have always approached padding lest the overhead cost us too much
performance or too many volunteers.
-
\subsection{Measuring performance and capacity}
\label{subsec:performance}
@@ -1114,7 +1111,6 @@ produce traffic. They seem the ideal use case for our above discussion
of helper nodes. This insecurity means that they may not be suitable as
a building block for Free Haven~\cite{freehaven-berk} or other anonymous
publishing systems that aim to provide long-term security.
-%Also, they're brittle in terms of intersection and observation attacks.
\emph{Hot-swap} hidden services, where more than one location can
provide the service and loss of any one location does not imply a
@@ -1145,8 +1141,6 @@ encryption and end-to-end authentication to their website.
\subsection{Trust and discovery}
\label{subsec:trust-and-discovery}
-[arma will edit this and expand/retract it]
-
The published Tor design adopted a deliberately simplistic design for
authorizing new nodes and informing clients about Tor nodes and their status.
In the early Tor designs, all nodes periodically uploaded a signed description
@@ -1548,60 +1542,12 @@ minute burst in each 4 hour period.}
\end{figure}
-\section{Things to cut?}
-\subsection{Peer-to-peer / practical issues}
-
-[leave this section for now, and make sure things here are covered
-elsewhere. then remove it.]
-
-Making use of nodes with little bandwidth. How to handle hammering by
-certain applications.
-
-Handling nodes that are far away from the rest of the network, e.g. on
-the continents that aren't North America and Europe. High latency,
-often high packet loss.
+Making use of nodes with little bandwidth, or high latency/packet loss.
Running Tor nodes behind NATs, behind great-firewalls-of-China, etc.
Restricted routes. How to propagate to everybody the topology? BGP
style doesn't work because we don't want just *one* path. Point to
Geoff's stuff.
-\subsection{Caching stuff: If a topic's gotta go for space, I think this
-is the best candidate}
-
-The attacks in \cite{attack-tor-oak05} are also dependent on
-cooperation of the responding application or the ability to modify or
-monitor the responder stream, in order of decreasing attack
-effectiveness. So, another way to slow some of these attacks
-would be to cache responses at exit nodes where possible, as it is with
-DNS lookups and cacheable HTTP responses. Caching would, however,
-create threats of its own. First, a Tor network is expected to contain
-hostile nodes. If one of these is the repository of a cache, the
-attack is still possible. Though more work to set up a Tor node and
-cache repository, the payoff of such an attack is potentially
-higher.
-%To be
-%useful, such caches would need to be distributed to any likely exit
-%nodes of recurred requests for the same data.
-% Even local caches could be useful, I think. -NM
-%
-%Added some clarification -PFS
-Besides allowing any other insider attacks, caching nodes would hold a
-record of destinations and data visited by Tor users reducing forward
-anonymity. Worse, for the cache to be widely useful much beyond the
-client that caused it there would have to either be a new mechanism to
-distribute cache information around the network and a way for clients
-to make use of it or the caches themselves would need to be
-distributed widely. Either way the record of visited sites and
-downloaded information is made automatically available to an attacker
-without having to actively gather it himself. Besides its inherent
-value, this could serve as useful data to an attacker deciding which
-locations to target for confirmation. A way to counter this
-distribution threat might be to only cache at certain semitrusted
-helper nodes. This might help specific clients, but it would limit
-the general value of caching.
-
-
-
\end{document}