diff options
author | Roger Dingledine <arma@torproject.org> | 2003-11-05 04:59:47 +0000 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2003-11-05 04:59:47 +0000 |
commit | d0ccf76035b630dadf5645e98511587d533deb9c (patch) | |
tree | a0c62c34645eab2f964300376d0e4f48584444c2 | |
parent | 1520e93c148f6271dfebc608b3991c88012317ce (diff) | |
download | tor-d0ccf76035b630dadf5645e98511587d533deb9c.tar tor-d0ccf76035b630dadf5645e98511587d533deb9c.tar.gz |
edits on active attacks
svn:r773
-rw-r--r-- | doc/tor-design.tex | 65 |
1 files changed, 24 insertions, 41 deletions
diff --git a/doc/tor-design.tex b/doc/tor-design.tex index c0bf9e884..ba621d353 100644 --- a/doc/tor-design.tex +++ b/doc/tor-design.tex @@ -1482,16 +1482,16 @@ need for this approach, when the German government successfully ordered them to add a backdoor to all of their nodes \cite{jap-backdoor}. -\emph{Run a recipient.} By running a webserver, an adversary +\emph{Run a recipient.} An adversary running a webserver trivially learns the timing patterns of users connecting to it, and -can introduce arbitrary patterns in its responses. This can greatly -facilitate end-to-end attacks: If the adversary can induce +can introduce arbitrary patterns in its responses. +End-to-end attacks become easier: if the adversary can induce users to connect to his webserver (perhaps by advertising -content targeted at those users), she now holds one end of their -connection. Additionally, there is a danger that the application -protocols and associated programs can be induced to reveal -information about the initiator. Tor does not aim to solve this latter problem; -we depend on Privoxy and similar protocol cleaners. +content targeted to those users), she now holds one end of their +connection. There is also a danger that application +protocols and associated programs can be induced to reveal information +about the initiator. Tor depends on Privoxy and similar protocol cleaners +to solve this latter problem. \emph{Run an onion proxy.} It is expected that end users will nearly always run their own local onion proxy. However, in some @@ -1507,44 +1507,27 @@ by attacking non-observed nodes to shut them down, reduce their reliability, or persuade users that they are not trustworthy. The best defense here is robustness. -\emph{Run a hostile node.} In addition to being a -local observer, an isolated hostile node can create circuits through -itself, or alter traffic patterns to affect traffic at -other nodes. (Its ability to directly DoS a neighbor is now limited -by bandwidth throttling.) Nonetheless, in order to compromise the -anonymity of a circuit by its observations, a -hostile node must be immediately adjacent to both endpoints. -If an adversary can +\emph{Run a hostile OR.} In addition to being a local observer, +an isolated hostile node can create circuits through itself, or alter +traffic patterns to affect traffic at other nodes. Nonetheless, a hostile +node must be immediately adjacent to both endpoints to compromise the +anonymity of a circuit. If an adversary can run multiple ORs, and can persuade the directory servers that those ORs are trustworthy and independent, then occasionally some user will choose one of those ORs for the start and another -as the end of a circuit. When this happens, the user's -anonymity is compromised for those circuits. If an adversary +as the end of a circuit. If an adversary controls $m>1$ out of $N$ nodes, he should be able to correlate at most $\left(\frac{m}{N}\right)^2$ of the traffic in this way---although an adversary could possibly attract a disproportionately large amount of traffic -by running an OR with an unusually permissive exit policy. - -%% Duplicate. -% -%\emph{Run a hostile directory server.} Directory servers control -%admission to the network. However, because the network directory -%must be signed by a majority of servers, the threat of a single -%hostile server is minimized. - -\emph{Selectively DoS a Tor node.} As noted, neighbors are -bandwidth limited; however, it is possible to open enough -circuits converging at a single onion router to -overwhelm its network connection, CPU, or both. -% We aim to address something like this attack with our congestion -% control algorithm. +by running an OR with an unusually permissive exit policy, or by +degrading the reliability of other routers. \emph{Introduce timing into messages.} This is simply a stronger version of passive timing attacks already discussed earlier. \emph{Tagging attacks.} A hostile node could ``tag'' a -cell by altering it. This would render it unreadable, but if the +cell by altering it. If the stream were, for example, an unencrypted request to a Web site, the garbled content coming out at the appropriate time would confirm the association. However, integrity checks on cells prevent @@ -1552,7 +1535,7 @@ this attack. \emph{Replace contents of unauthenticated protocols.} When relaying an unauthenticated protocol like HTTP, a hostile exit node -can impersonate the target server. Thus clients +can impersonate the target server. Clients should prefer protocols with end-to-end authentication. \emph{Replay attacks.} Some anonymity protocols are vulnerable @@ -1560,11 +1543,11 @@ to replay attacks. Tor is not; replaying one side of a handshake will result in a different negotiated session key, and so the rest of the recorded session can't be used. -\emph{Smear attacks.} An attacker could use the Tor network to -engage in socially disapproved acts, so as to try to bring the -entire network into disrepute and get its operators to shut it down. -Exit policies can help reduce the possibilities for abuse, but -ultimately, the network will require volunteers who can tolerate +\emph{Smear attacks.} An attacker could use the Tor network for +socially disapproved acts, to bring the +network into disrepute and get its operators to shut it down. +Exit policies reduce the possibilities for abuse, but +ultimately the network will require volunteers who can tolerate some political heat. \emph{Distribute hostile code.} An attacker could trick users @@ -1573,7 +1556,7 @@ their connections---or worse, could trick ORs into running weakened software that provided users with less anonymity. We address this problem (but do not solve it completely) by signing all Tor releases with an official public key, and including an entry in the directory -listing which versions are currently believed to be secure. To +that lists which versions are currently believed to be secure. To prevent an attacker from subverting the official release itself (through threats, bribery, or insider attacks), we provide all releases in source code form, encourage source audits, and |