20 年之前 · 2ebad9853d
--- a/doc/tor-design.tex
+++ b/doc/tor-design.tex
@@ -454,16 +454,12 @@ as Privoxy to hide differences between clients, and expunge protocol
 
				 features that leak identity. 
			
 
				 Note that by this separation Tor can also provide services that
			
 
				 are anonymous to the network yet authenticated to the responder, like
			
 
				-SSH.
			
 
				-Similarly, Tor does not currently integrate
			
 
				+SSH. Similarly, Tor does not currently integrate
			
 
				 tunneling for non-stream-based protocols like UDP; this too must be
			
 
				 provided by an external service.
			
 
				 
			
 
				-\textbf{Does not provide untraceability:} Tor does not try to conceal
			
 
				-%XXX untraceability, unobservability, unlinkability? -RD
			
 
				-which users are
			
 
				-sending or receiving communications; it only tries to conceal with whom
			
 
				-they communicate.
			
 
				+\textbf{Not steganographic:} Tor does not try to conceal who is connected
			
 
				+to the network.
			
 
				 
			
 
				 \SubSection{Threat Model}
			
 
				 \label{subsec:threat-model}
			
@@ -1008,9 +1004,10 @@ require investigation.
 
				 \SubSection{Exit policies and abuse}
			
 
				 \label{subsec:exitpolicies}
			
 
				 
			
 
				-%XXX originally, we planned to put the "users only know the hostname,
			
 
				-%    not the IP, but exit policies are by IP" problem here too. Worth
			
 
				-%    while still? -RD
			
 
				+% originally, we planned to put the "users only know the hostname,
			
 
				+% not the IP, but exit policies are by IP" problem here too. Not
			
 
				+% worth putting in the submission, but worth thinking about putting
			
 
				+% in sometime somehow. -RD
			
 
				 
			
 
				 Exit abuse is a serious barrier to wide-scale Tor deployment. Anonymity
			
 
				 presents would-be vandals and abusers with an opportunity to hide
			
@@ -1044,14 +1041,8 @@ between the private exit and the final destination, and so is less sure of
 
				 Alice's destination and activities. Most onion routers will function as
			
 
				 \emph{restricted exits} that permit connections to the world at large,
			
 
				 but prevent access to certain abuse-prone addresses and services. 
			
 
				-In general, nodes could require the user to authenticate before
			
 
				-being allowed to exit \cite{or-discex00}.
			
 
				-% XXX This next sentence makes no sense to me in context; must
			
 
				-% XXX revisit. -NM
			
 
				-% Does this help? It's for the enclave OR model. -RD
			
 
				-%In
			
 
				-%general, nodes can require a variety of forms of traffic authentication
			
 
				-%\cite{or-discex00}.
			
 
				+Additionally, in some cases the OR can authenticate clients to
			
 
				+prevent exit abuse without harming anonymity \cite{or-discex00}.
			
 
				 
			
 
				 %The abuse issues on closed (e.g. military) networks are different
			
 
				 %from the abuse on open networks like the Internet. While these IP-based
			
@@ -1414,16 +1405,14 @@ itself may be hostile). Filtering content is not a primary goal of Onion
 
				 Routing; nonetheless, Tor can directly use Privoxy and related
			
 
				 filtering services to anonymize application data streams.
			
 
				 
			
 
				-\emph{Option distinguishability.} Options can be a
			
 
				-source of distinguishable patterns. In general there is economic
			
 
				-incentive to allow preferential services \cite{econymics}, and some
			
 
				-degree of configuration choice can attract users, which
			
 
				-provide anonymity.  So far, however, we have
			
 
				-not found a compelling use case in Tor for any client-configurable
			
 
				-options.  Thus, clients are currently distinguishable only by their
			
 
				-behavior.
			
 
				-%XXX Actually, circuitrebuildperiod is such an option. -RD
			
 
				-  
			
 
				+\emph{Option distinguishability.} We allow clients to choose local
			
 
				+configuration options. For example, clients concerned about request
			
 
				+linkability should rotate circuits more often than those concerned
			
 
				+about traceability. There is economic incentive to attract users by
			
 
				+allowing this choice; but at the same time, a set of clients who are
			
 
				+in the minority may lose more anonymity by appearing distinct than they
			
 
				+gain by optimizing their behavior \cite{econymics}.
			
 
				+
			
 
				 \emph{End-to-end timing correlation.}  Tor only minimally hides
			
 
				 end-to-end timing correlations. An attacker watching patterns of
			
 
				 traffic at the initiator and the responder will be
			
@@ -1816,8 +1805,8 @@ and possibly better anonymity \cite{econymics}. More nodes means increased
 
				 scalability, and more users can mean more anonymity. We need to continue
			
 
				 examining the incentive structures for participating in Tor.
			
 
				 
			
 
				-\emph{Cover traffic:} Currently Tor omits cover traffic because its costs
			
 
				-in performance and bandwidth are clear, whereas its security benefits are
			
 
				+\emph{Cover traffic:} Currently Tor omits cover traffic---its costs
			
 
				+in performance and bandwidth are clear but its security benefits are
			
 
				 not well understood. We must pursue more research on link-level cover
			
 
				 traffic and long-range cover traffic to determine whether some simple padding
			
 
				 method offers provable protection against our chosen adversary.