sptor.tex 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353
  1. \documentclass{llncs}
  2. \usepackage{url}
  3. \usepackage{amsmath}
  4. \usepackage{epsfig}
  5. \setlength{\textwidth}{5.9in}
  6. \setlength{\textheight}{8.4in}
  7. \setlength{\topmargin}{.5cm}
  8. \setlength{\oddsidemargin}{1cm}
  9. \setlength{\evensidemargin}{1cm}
  10. \newenvironment{tightlist}{\begin{list}{$\bullet$}{
  11. \setlength{\itemsep}{0mm}
  12. \setlength{\parsep}{0mm}
  13. % \setlength{\labelsep}{0mm}
  14. % \setlength{\labelwidth}{0mm}
  15. % \setlength{\topsep}{0mm}
  16. }}{\end{list}}
  17. \newcommand{\workingnote}[1]{} % The version that hides the note.
  18. %\newcommand{\workingnote}[1]{(**#1)} % The version that makes the note visible.
  19. \begin{document}
  20. \title{Design challenges and social factors in deploying low-latency anonymity}
  21. % Could still use a better title -PFS
  22. \author{Roger Dingledine\inst{1} \and
  23. Nick Mathewson\inst{1} \and
  24. Paul Syverson\inst{2}}
  25. \institute{The Tor Project \email{<\{arma,nickm\}@torproject.org>} \and
  26. Naval Research Laboratory \email{<syverson@itd.nrl.navy.mil>}}
  27. \maketitle
  28. \pagestyle{plain}
  29. \begin{abstract}
  30. There are many unexpected or unexpectedly difficult obstacles to
  31. deploying anonymous communications. We describe Tor (\emph{the}
  32. onion routing), how to use it, our design philosophy, and some of
  33. the challenges that we have faced and continue to face in building,
  34. deploying, and sustaining a scalable, distributed, low-latency
  35. anonymity network.
  36. \end{abstract}
  37. \section{Introduction}
  38. This article describes Tor, a widely-used low-latency general-purpose
  39. anonymous communication system, and discusses some unexpected
  40. challenges arising from our experiences deploying Tor. We will tell
  41. you how to use it, who uses it, how it works, why we designed it the
  42. way we did, and why this makes it usable and stable.
  43. Tor is an overlay network for anonymizing TCP streams over the
  44. Internet~\cite{tor-design}. Tor works on the real-world Internet,
  45. requires no special privileges or kernel modifications, requires
  46. little synchronization or coordination between nodes, and provides a
  47. reasonable trade-off between anonymity, usability, and efficiency.
  48. Since deployment in October 2003 the public Tor network has grown to
  49. about a thousand volunteer-operated nodes worldwide and over 110
  50. megabytes average traffic per second from hundreds of thousands of
  51. concurrent users.
  52. \section{Tor Design and Design Philosophy: Distributed Trust and Usability}
  53. Tor enables users to connect to Internet sites without revealing their
  54. logical or physical locations to those sites or to observers. It
  55. enables hosts to be publicly accessible yet have similar protection
  56. against location through its \emph{location-hidden services}.
  57. To connect to a remote server via Tor the client software first learns
  58. a %signed
  59. list of Tor nodes from several central \emph{directory servers} via a
  60. voting protocol (to avoid dependence on or complete trust in any one
  61. of these servers). It then incrementally creates a private pathway or
  62. \emph{circuit} across the network. This circuit consists of
  63. encrypted connections through authenticated Tor nodes
  64. whose public keys were obtained from the directory servers. The client
  65. software negotiates a separate set of encryption keys for each hop along the
  66. circuit. The nodes in the circuit are chosen at random by the client
  67. subject to a preference for higher performing nodes to allocate
  68. resources effectively and with a client-chosen preferred set of first
  69. nodes called \emph{entry guards} to complicate profiling attacks by
  70. internal adversaries~\cite{hs-attack}.
  71. The circuit is extended one node at a time, tunneling extensions
  72. through already established portions of the circuit, and each node
  73. along the way knows only the immediately previous and following nodes
  74. in the circuit, so no individual Tor node knows the complete path that
  75. each fixed-sized data packet (or \emph{cell}) will take. Thus,
  76. neither an eavesdropper nor a compromised node can see both the
  77. connection's source and destination. Later requests use a new
  78. circuit to complicate long-term linkability between different actions
  79. by a single user.
  80. Tor attempts to anonymize the transport layer, not the application
  81. layer. Thus, applications such as SSH can provide
  82. authenticated communication that is hidden by Tor from outside observers.
  83. When anonymity from communication partners is desired,
  84. application-level protocols that transmit identifying
  85. information need additional scrubbing proxies, such as
  86. Privoxy~\cite{privoxy} for HTTP\@. Furthermore, Tor does not relay
  87. arbitrary IP packets; it only anonymizes TCP streams and DNS requests.
  88. Tor, the third generation of deployed onion-routing
  89. designs~\cite{or-ih96,or-jsac98,tor-design}, was researched, developed,
  90. and deployed by the Naval Research Laboratory and the Free Haven
  91. Project under ONR and DARPA funding for secure government
  92. communications. In 2005, continuing work by Free Haven was funded by
  93. the Electronic Frontier Foundation for maintaining civil liberties of
  94. ordinary citizens online. In 2006, The Tor Project incorporated as a
  95. non-profit and has received continued funding from the Omidyar Network,
  96. the U.S. International Broadcasting Bureau, and other groups to combat
  97. blocking and censorship on the Internet. This diversity of funding fits
  98. Tor's overall philosophy: a wide variety of interests helps maintain
  99. both the stability and the security of the network.
  100. Usability is also a central goal. Downloading and installing Tor is
  101. easy. Simply go to\\
  102. http://torproject.org/ and download. Tor comes with install
  103. wizards and a GUI for major operating systems: GNU/Linux, OS X, and
  104. Windows. It also runs on various flavors of BSD and UNIX\@. Basic
  105. instructions, documentation, FAQs, etc.\ are available in many
  106. languages. The Tor GUI Vidalia makes server configuration easy, e.g.,
  107. choosing how much bandwidth to allocate to Tor, exit policy choices,
  108. etc. And, the GUI Torbutton allows Firefox users a one-click toggle of
  109. whether browsing goes through Tor or not. Tor is easily configured by
  110. a site administrator to run at either individual desktops or just at a
  111. site firewall or combinations of these.
  112. The ideal Tor network would be practical, useful and anonymous. When
  113. trade-offs arise between these properties, Tor's research strategy has
  114. been to remain useful enough to attract many users, and practical
  115. enough to support them. Only subject to these constraints do we try
  116. to maximize anonymity. Tor thus differs from other deployed systems
  117. for traffic analysis resistance in its security and flexibility. Mix
  118. networks such as
  119. % Mixmaster~\cite{mixmaster-spec} or its successor
  120. Mixminion~\cite{minion-design} gain the highest degrees of practical
  121. anonymity at the expense of introducing highly variable delays, making
  122. them unsuitable for applications such as web browsing. Commercial
  123. single-hop proxies~\cite{anonymizer} can provide good performance, but
  124. a single-point compromise can expose all users' traffic, and a
  125. single-point eavesdropper can perform traffic analysis on the entire
  126. network. Also, their proprietary implementations place any
  127. infrastructure that depends on these single-hop solutions at the mercy
  128. of their providers' financial health as well as network security.
  129. There are numerous other designs for distributed anonymous low-latency
  130. communication~\cite{crowds-tissec,web-mix,freedom21-security,i2p,tarzan:ccs02,morphmix:fc04}.
  131. Some have been deployed or even commercialized; some exist only on
  132. paper. Though each has something unique to offer, we feel Tor has
  133. advantages over each of them that make it a superior choice for most
  134. users and applications. For example, unlike purely P2P designs we
  135. neither limit ordinary users to content and services available only
  136. within our network nor require them to take on responsibility for
  137. connections outside the network, unless they separately choose to run
  138. server nodes. Nonetheless because we support low-latency interactive
  139. communications, end-to-end \emph{traffic correlation}
  140. attacks~\cite{danezis:pet2004,defensive-dropping,SS03,hs-attack,bauer:tr2007}
  141. allow an attacker who can observe both ends of a communication to
  142. correlate packet timing and volume, quickly linking the initiator to
  143. her destination.
  144. Our defense lies in having a diverse enough set of nodes to prevent
  145. most real-world adversaries from being in the right places to attack
  146. users, by distributing each transaction over several nodes in the
  147. network. This ``distributed trust'' approach means the Tor network
  148. can be safely operated and used by a wide variety of mutually
  149. distrustful users, providing sustainability and security.
  150. The Tor network has a broad range of users, making it difficult for
  151. eavesdroppers to track them or profile interests. These include
  152. ordinary citizens concerned about their privacy, corporations who
  153. don't want to reveal information to their competitors, and law
  154. enforcement and government intelligence agencies who need to do
  155. operations on the Internet without being noticed. Naturally,
  156. organizations will not want to depend on others for their security.
  157. If most participating providers are reliable, Tor tolerates some
  158. hostile infiltration of the network.
  159. This distribution of trust is central to the Tor philosophy and
  160. pervades Tor at all levels: Onion routing has been open source since
  161. the mid-nineties (mistrusting users can inspect the code themselves);
  162. Tor is free software (anyone could take up the development of Tor from
  163. the current team); anyone can use Tor without license or charge (which
  164. encourages a broad user base with diverse interests); Tor is designed to be
  165. usable (also promotes a large, diverse user base) and configurable (so
  166. users can easily set up and run server nodes); the Tor
  167. infrastructure is run by volunteers (it is not dependent on the
  168. economic viability or business strategy of any company) who are
  169. scattered around the globe (not completely under the jurisdiction of
  170. any single country); ongoing development and deployment has been
  171. funded by diverse sources (development does not fully depend on
  172. funding from any one source or even funding for any one primary
  173. purpose or sources in any one jurisdiction). All of these contribute
  174. to Tor's resilience and sustainability.
  175. \section{Social challenges}
  176. Many of the issues the Tor project needs to address extend beyond
  177. system design and technology development. In particular, the Tor
  178. project's \emph{image} with respect to its users and the rest of the
  179. Internet impacts the security it can provide. With this image issue
  180. in mind, this section discusses the Tor user base and Tor's
  181. interaction with other services on the Internet.
  182. \subsection{Communicating security}
  183. Usability for anonymity systems contributes to their security, because
  184. usability affects the possible anonymity set~\cite{econymics,back01}.
  185. Conversely, an unusable system attracts few users and thus can't
  186. provide much anonymity.
  187. This phenomenon has a second-order effect: knowing this, users should
  188. choose which anonymity system to use based in part on how usable and
  189. secure \emph{others} will find it, in order to get the protection of a
  190. larger anonymity set. Thus we might supplement the adage ``usability
  191. is a security parameter''~\cite{back01} with a new one: ``perceived
  192. usability is a security parameter.''~\cite{usability-network-effect}.
  193. \subsection{Reputability and perceived social value}
  194. Another factor impacting the network's security is its reputability,
  195. the perception of its social value based on its current user base. If
  196. Alice is the only user who has ever downloaded the software, it might
  197. be socially accepted, but she's not getting much anonymity. Add a
  198. thousand activists, and she's anonymous, but everyone thinks she's an
  199. activist too. Add a thousand diverse citizens (cancer survivors,
  200. people concerned about identity theft, law enforcement agents, and so
  201. on) and now she's harder to profile.
  202. Furthermore, the network's reputability affects its operator base:
  203. more people are willing to run a service if they believe it will be
  204. used by human rights workers than if they believe it will be used
  205. exclusively for disreputable ends. This effect becomes stronger if
  206. node operators themselves think they will be associated with their
  207. users' ends.
  208. So the more cancer survivors on Tor, the better for the human rights
  209. activists. The more malicious hackers, the worse for the normal
  210. users. Thus, reputability is an anonymity issue for two
  211. reasons. First, it impacts the sustainability of the network: a
  212. network that's always about to be shut down has difficulty attracting
  213. and keeping adequate nodes. Second, a disreputable network is more
  214. vulnerable to legal and political attacks, since it will attract fewer
  215. supporters.
  216. Reputability becomes even more tricky in the case of privacy networks,
  217. since the good uses of the network (such as publishing by journalists
  218. in dangerous countries, protecting road warriors from profiling and
  219. potential physical harm, tracking of criminals by law enforcement,
  220. protecting corporate research interests, etc.) are typically kept private,
  221. whereas network abuses or other problems tend to be more widely
  222. publicized.
  223. \subsection{Abuse}
  224. \label{subsec:tor-and-blacklists}
  225. For someone willing to be antisocial or even break the law, Tor is
  226. usually a poor choice to hide bad behavior. For example, Tor nodes are
  227. publicly identified, unlike the million-node botnets that are now
  228. common on the Internet. Nonetheless, we always expected that,
  229. alongside legitimate users, Tor would also attract troublemakers who
  230. exploit Tor to abuse services on the Internet with vandalism, rude
  231. mail, and so on. \emph{Exit policies} have allowed individual nodes
  232. to block access to specific IP/port ranges. This approach aims to
  233. make operators more willing to run Tor by allowing them to prevent
  234. their nodes from being used for abusing particular services. For
  235. example, by default Tor nodes block SMTP (port 25), to avoid the issue
  236. of spam.
  237. Exit policies are useful but insufficient: if not all nodes block a
  238. given service, that service may try to block Tor instead. While being
  239. blockable is important to being good netizens, we would like to
  240. encourage services to allow anonymous access. Services should not need
  241. to decide between blocking legitimate anonymous use and allowing
  242. unlimited abuse. Nonetheless, blocking IP addresses is a
  243. course-grained solution~\cite{netauth}: entire apartment buildings,
  244. campuses, and even countries sometimes share a single IP address.
  245. Also, whether intended or not, such blocking supports repression of
  246. free speech. In many locations where Internet access of various kinds
  247. is censored or even punished by imprisonment, Tor is a path both to
  248. the outside world and to others inside. Blocking posts from Tor makes
  249. the job of censoring authorities easier. This is a loss for both Tor
  250. and services that block, such as Wikipedia: we don't want to compete
  251. for (or divvy up) the NAT-protected entities of the world. This is
  252. also unfortunate because there are relatively simple technical
  253. solutions~\cite{nym}. Various schemes for escrowing anonymous posts
  254. until they are reviewed by editors would both prevent abuse and remove
  255. incentives for attempts to abuse. Further, pseudonymous reputation
  256. tracking of posters through Tor would allow those who establish
  257. adequate reputation to post without escrow~\cite{nym,nymble}.
  258. We stress that as far as we can tell, most Tor uses are not
  259. abusive. Most services have not complained, and others are actively
  260. working to find ways besides banning to cope with the abuse. For
  261. example, the Freenode IRC network had a problem with a coordinated
  262. group of abusers joining channels and subtly taking over the
  263. conversation; but when they labelled all users coming from Tor IP
  264. addresses as ``anonymous users,'' removing the ability of the abusers
  265. to blend in, the abusers stopped using Tor. This is an illustration of
  266. how simple
  267. technical mechanisms can remove the ability to abuse anonymously
  268. without undermining the ability to communicate anonymously and can
  269. thus remove the incentive to attempt abusing in this way.
  270. \section{The Future}
  271. \label{sec:conclusion}
  272. Tor is the largest and most diverse low-latency anonymity network
  273. available, but we are still in the early stages. Several major
  274. questions remain.
  275. First, will our volunteer-based approach to sustainability continue to
  276. work as well in the long term as it has the first several years?
  277. Besides node operation, Tor research, deployment, maintainance, and
  278. development is increasingly done by volunteers: package maintenance
  279. for various OSes, document translation, GUI design and implementation,
  280. live CDs, specification of new design changes, etc.\
  281. %
  282. Second, Tor is only one of many components that preserve privacy
  283. online. For applications where it is desirable to keep identifying
  284. information out of application traffic, someone must build more and
  285. better protocol-aware proxies that are usable by ordinary people.
  286. %
  287. Third, we need to maintain a reputation for social good, and learn how to
  288. coexist with the variety of Internet services and their established
  289. authentication mechanisms. We can't just keep escalating the blacklist
  290. standoff forever.
  291. %
  292. Fourth, the current Tor architecture hardly scales even to handle
  293. current user demand. We must deploy designs and incentives to further
  294. encourage clients to relay traffic too, without thereby trading away
  295. too much anonymity or other properties.
  296. These are difficult and open questions. Yet choosing not to solve them
  297. means leaving most users to a less secure network or no anonymizing
  298. network at all.\\
  299. \noindent{\bf Acknowledgment:} Thanks to Matt Edman for many
  300. helpful comments on a draft of this article.
  301. \bibliographystyle{plain} \bibliography{tor-design}
  302. \end{document}