diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/design-paper/challenges.tex | 165 |
1 files changed, 84 insertions, 81 deletions
diff --git a/doc/design-paper/challenges.tex b/doc/design-paper/challenges.tex index d40829efe..a62727a99 100644 --- a/doc/design-paper/challenges.tex +++ b/doc/design-paper/challenges.tex @@ -277,7 +277,7 @@ adversaries and our dispersal goals. \subsubsection{Distributed trust} In practice Tor's threat model is based entirely on the goal of -dispersal and diversity. +dispersal and diversity. Tor's defense lies in having a diverse enough set of servers to prevent most real-world adversaries from being in the right places to attack users. @@ -369,24 +369,10 @@ Tor project's \emph{image} with respect to its users and the rest of the Internet impacts the security it can provide. % No image, no sustainability -NM -% Fold this into next subsec. -As an example to motivate this section, some U.S.~Department of Energy -penetration testing engineers are tasked with compromising DoE computers -from the outside. They only have a limited number of ISPs from which to -launch their attacks, and they found that the defenders were recognizing -attacks because they came from the same IP space. These engineers wanted -to use Tor to hide their tracks. First, from a technical standpoint, -Tor does not support the variety of IP packets one would like to use in -such attacks (see Section~\ref{subsec:tcp-vs-ip}). But aside from this, -we also decided that it would probably be poor precedent to encourage -such use---even legal use that improves national security---and managed -to dissuade them. - With this image issue in mind, this section discusses the Tor user base and Tor's interaction with other services on the Internet. -\subsection{Image and security} -% Communicating security? - NM +\subsection{Communicating security} A growing field of papers argue that usability for anonymity systems contributes directly to their security, because how usable the system @@ -452,9 +438,7 @@ On the other hand, while the number of active concurrent users may not matter as much as we'd like, it still helps to have some other users who use the network. We investigate this issue in the next section. -\subsection{Reputability} -% Maintaining image of social value? Social value? -NM - +\subsection{Reputability and perceived social value} Another factor impacting the network's security is its reputability: the perception of its social value based on its current user base. If Alice is the only user who has ever downloaded the software, it might be socially @@ -464,16 +448,19 @@ NRA member if you prefer a contrasting example). Add a thousand random citizens (cancer survivors, privacy enthusiasts, and so on) and now she's harder to profile. -The more cancer survivors on Tor, the better for the human rights -activists. The more script kiddies, the worse for the normal users. Thus, +Furthermore, the network's reputability effects its server base: more people +are willing to run a service if they believe it will be used by human rights +workers than if they believe it will be used exclusively for disreputable +ends. This effect becomes stronger if server operators themselves think they +will be associated with these disreputable ends. + +So the more cancer survivors on Tor, the better for the human rights +activists. The more malicious hackers, the worse for the normal users. Thus, reputability is an anonymity issue for two reasons. First, it impacts the sustainability of the network: a network that's always about to be -shut down has difficulty attracting and keeping users, so its anonymity -set suffers. -% XXX but we said the anonymity set doesn't matter! -Second, a disreputable network attracts the attention of -powerful attackers who may not mind revealing the identities of all the -users to uncover a few bad ones. +shut down has difficulty attracting and keeping servers, so its diversity +suffers. Second, a disreputable network is more vulnerable to legal and +political attacks, since it will attract fewer supporters. While people therefore have an incentive for the network to be used for ``more reputable'' activities than their own, there are still tradeoffs @@ -492,6 +479,18 @@ during the bootstrapping phase of the network, where the first few widely publicized uses of the network can dictate the types of users it attracts next. +As an example, some some U.S.~Department of Energy +penetration testing engineers are tasked with compromising DoE computers +from the outside. They only have a limited number of ISPs from which to +launch their attacks, and they found that the defenders were recognizing +attacks because they came from the same IP space. These engineers wanted +to use Tor to hide their tracks. First, from a technical standpoint, +Tor does not support the variety of IP packets one would like to use in +such attacks (see Section~\ref{subsec:tcp-vs-ip}). But aside from this, +we also decided that it would probably be poor precedent to encourage +such use---even legal use that improves national security---and managed +to dissuade them. + %% "outside of academia, jap has just lost, permanently". (That is, %% even though the crime detection issues are resolved and are unlikely %% to go down the same way again, public perception has not been kind.) @@ -527,19 +526,19 @@ Still, anonymity and privacy incentives do remain for server operators: of ``deniability'' for traffic that originates at that exit node. For example, it is likely in practice that HTTP requests from a Tor server's IP will be assumed to be from the Tor network. -XXXX clarify. -\item Maintain the sustainability of the network. XXX sentencize +\item People and organizations who use Tor for anonymity depend on the + continued existence of the Tor network to do so; running a server helps to + keep the network operational. %\item Local Tor entry and exit servers allow users on a network to run in an % `enclave' configuration. [XXXX need to resolve this. They would do this % for E2E encryption + auth?] \end{tightlist} -First, we try to make the costs of running a Tor server easily minimized. +We must try to make the costs of running a Tor server easily minimized. Since Tor is run by volunteers, the most crucial software usability issue is usability by operators: when an operator leaves, the network becomes less usable by everybody. To keep operators pleased, we must try to keep Tor's -resource and administrative demands as low as possible. [XXXX say more. E.g., -exit policies.] +resource and administrative demands as low as possible. Because of ISP billing structures, many Tor operators have underused capacity that they are willing to donate to the network, at no additional monetary @@ -549,15 +548,21 @@ wants to provide high bandwidth, but no more than a certain amount in a giving billing cycle, to become dormant once its bandwidth is exhausted, and to reawaken at a random offset into the next billing cycle. This feature has interesting policy implications, however; see -section~\ref{subsec:bandwidth-and-usability} below. +section~\ref{subsec:bandwidth-and-filesharing} below. + +Exit policies help to limit administrative costs by limiting the frequency of +abuse complaints. -[XXXX say more. Why else would you run a server? What else can we do/do we - already do to make running a server more attractive?] -[We can enforce incentives; see Section 6.1. We can rate-limit clients. - We can put "top bandwidth servers lists" up a la seti@home.] +%[XXXX say more. Why else would you run a server? What else can we do/do we +% already do to make running a server more attractive?] +%[We can enforce incentives; see Section 6.1. We can rate-limit clients. +% We can put "top bandwidth servers lists" up a la seti@home.] -\subsection{Bandwidth and usability} -\label{subsec:bandwidth-and-usability} + +\subsection{Bandwidth and filesharing} +\label{subsec:bandwidth-and-filesharing} +%One potentially problematical area with deploying Tor has been our response +%to file-sharing applications. Once users have configured their applications to work with Tor, the largest remaining usability issue is bandwidth. When websites ``feel slow,'' users begin to suffer. @@ -569,22 +574,14 @@ enough capacity to provide every user with as much bandwidth as she would receive if she weren't using Tor, unless far more servers join the network (see above). -Limited capacity does not destroy the network, however. Instead, usage tends -towards an equilibrium: when performance suffers, users who value performance -over anonymity tend to leave the system, thus freeing capacity until the -remaining users on the network are exactly those willing to use that capacity -there is. - -XXX But is it the right equilibirum? And if it's the wrong one, we lose -XXX users. And if we lose the wrong users, servers won't want to help. +%Limited capacity does not destroy the network, however. Instead, usage tends +%towards an equilibrium: when performance suffers, users who value performance +%over anonymity tend to leave the system, thus freeing capacity until the +%remaining users on the network are exactly those willing to use that capacity +%there is. -XXX what if the file-sharers are more persistent than the journalists? - -\subsection{Tor and file-sharing} -%One potentially problematical area with deploying Tor has been our response -%to file-sharing applications. -File-sharing applications make up an enormous -fraction of the traffic on the Internet today, and provide two challenges to +Much of Tor's recent bandwidth difficulties have come from file-sharing +applications. These applications provide two challenges to any anonymizing network: their intensive bandwidth requirement, and the degree to which they are associated (correctly or not) with copyright violation. @@ -615,33 +612,35 @@ only permits exit connections to a restricted range of ports which are not frequently associated with file sharing. There are increasingly few such ports. +Other possible approaches might include rate-limiting connections, especially +long-lived connections or connections to file-sharing ports, so that +high-bandwidth connections do not flood the network. We might also want to +give priority to cells on low-bandwidth connections to keep them interactive, +but this could have negative anonymity implications. + For the moment, it seems that Tor's bandwidth issues have rendered it unattractive for bulk file-sharing traffic; this may continue to be so in the future. Nevertheless, Tor will likely remain attractive for limited use in - filesharing protocols that have separate control and data channels. +filesharing protocols that have separate control and data channels. -[xxxx We should say more -- but what? That we'll see a similar - equilibriating effect as with bandwidth, where sensitive ops switch to - middleman, and we become less useful for filesharing, so the filesharing - people back off, so we get more ops since there's less filesharing, so the - filesharers come back, etc.] +%[We should say more -- but what? That we'll see a similar +% equilibriating effect as with bandwidth, where sensitive ops switch to +% middleman, and we become less useful for filesharing, so the filesharing +% people back off, so we get more ops since there's less filesharing, so the +% filesharers come back, etc.] -in practice, plausible deniability is hypothetical and doesn't seem very -convincing. if ISPs find the activity antisocial, they don't care *why* -your computer is doing that behavior. - -XXXX deliberately give priority to quiet circuits? -XXXX or non file-sharing ports?? -XXXX Point is not to beat them off the network, but to keep them from -XXXX hogging the network. +%XXXX +%in practice, plausible deniability is hypothetical and doesn't seem very +%convincing. if ISPs find the activity antisocial, they don't care *why* +%your computer is doing that behavior. \subsection{Tor and blacklists} It was long expected that, alongside Tor's legitimate users, it would also attract troublemakers who exploited Tor in order to abuse services on the -Internet. -[XXX we're not talking bandwidth abuse here, we're talking vandalism, -hate mails via hotmail, attacks, etc.] +Internet with vandalism, rude mail, and so on. +%[XXX we're not talking bandwidth abuse here, we're talking vandalism, +%hate mails via hotmail, attacks, etc.] Our initial answer to this situation was to use ``exit policies'' to allow individual Tor servers to block access to specific IP/port ranges. This approach was meant to make operators more willing to run Tor by allowing @@ -675,13 +674,16 @@ No current IP blacklist, for example, allow a service provider to blacklist only those Tor servers that allow access to a specific IP or port, even though this information is readily available. One IP blacklist even bans every class C network that contains a Tor server, and recommends banning SMTP -from these networks even though Tor does not allow SMTP at all.) -[****Since this is stupid and we oppose it, shouldn't we name names here -pfs] -[XXX also, they're making \emph{middleman nodes leave} because they're caught - up in the standoff!] -[XXX Mention: it's not dumb, it's strategic!] -[XXX Mention: for some servops, any blacklist is a blacklist too many, - because it is risky. (Guy lives in apt with one IP.)] +from these networks even though Tor does not allow SMTP at all. This +coarse-grained approach is typically a strategic decision to discourage the +operation of anything resembling an open proxy by encouraging its neighbors +to shut it down in order to get unblocked themselves.) +%[****Since this is stupid and we oppose it, shouldn't we name names here -pfs] +%[XXX also, they're making \emph{middleman nodes leave} because they're caught +% up in the standoff!] +%[XXX Mention: it's not dumb, it's strategic!] +%[XXX Mention: for some servops, any blacklist is a blacklist too many, +% because it is risky. (Guy lives in apt with one IP.)] Problems of abuse occur mainly with services such as IRC networks and Wikipedia, which rely on IP blocking to ban abusive users. While at first @@ -698,10 +700,10 @@ access abuse-prone services. One conceivable approach would be to require would-be IRC users, for instance, to register accounts if they wanted to access the IRC network from Tor. But in practise, this would not significantly impede abuse if creating new accounts were easily automatable; -[ XXX yahoo uses captchas in exactly this situation] this is why services use IP blocking. In order to deter abuse, pseudonymous identities need to require a significant switching cost in resources or human time. +% XXX Mention captchas? %One approach, similar to that taken by Freedom, would be to bootstrap some %non-anonymous costly identification mechanism to allow access to a @@ -737,12 +739,13 @@ workable alternative. %by implementing the Morphmix-specific node discovery and path selection %pieces. -[XXX Mention correct DNS-RBL implementation. -NM] +%[XXX Mention correct DNS-RBL implementation. -NM] \section{Crossroads: Design choices} \label{sec:crossroads-design} -[XXX sentence here.] +In addition to social issues, Tor also faces some design challenges that must +be addressed as the network develops. \subsection{Transporting the stream vs transporting the packets} \label{subsec:stream-vs-packet} |