blocking.tex 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702
  1. \documentclass{llncs}
  2. \usepackage{url}
  3. \usepackage{amsmath}
  4. \usepackage{epsfig}
  5. %\setlength{\textwidth}{5.9in}
  6. %\setlength{\textheight}{8.4in}
  7. %\setlength{\topmargin}{.5cm}
  8. %\setlength{\oddsidemargin}{1cm}
  9. %\setlength{\evensidemargin}{1cm}
  10. \newenvironment{tightlist}{\begin{list}{$\bullet$}{
  11. \setlength{\itemsep}{0mm}
  12. \setlength{\parsep}{0mm}
  13. % \setlength{\labelsep}{0mm}
  14. % \setlength{\labelwidth}{0mm}
  15. % \setlength{\topsep}{0mm}
  16. }}{\end{list}}
  17. \begin{document}
  18. \title{Design of a blocking-resistant anonymity system}
  19. \author{Roger Dingledine\inst{1} \and
  20. Nick Mathewson\inst{1}}
  21. \institute{The Free Haven Project \email{<\{arma,nickm\}@freehaven.net>}}
  22. \maketitle
  23. \pagestyle{plain}
  24. \begin{abstract}
  25. Websites around the world are increasingly being blocked by
  26. government-level firewalls. Many people use anonymizing networks like
  27. Tor to contact sites without letting an attacker trace their activities,
  28. and as an added benefit they are no longer affected by local censorship.
  29. But if the attacker simply denies access to the Tor network itself,
  30. blocked users can no longer benefit from the security Tor offers.
  31. Here we describe a design that builds upon the current Tor network
  32. to provide an anonymizing network that resists blocking
  33. by government-level attackers.
  34. \end{abstract}
  35. \section{Introduction and Goals}
  36. Anonymizing networks such as Tor~\cite{tor-design} bounce traffic around
  37. a network of relays. They aim to hide not only what is being said, but
  38. also who is communicating with whom, which users are using which websites,
  39. and so on. These systems have a broad range of users, including ordinary
  40. citizens who want to avoid being profiled for targeted advertisements,
  41. corporations who don't want to reveal information to their competitors,
  42. and law enforcement and government intelligence agencies who need to do
  43. operations on the Internet without being noticed.
  44. Historically, research on anonymizing systems has assumed a passive
  45. attacker who monitors the user (named Alice) and tries to discover her
  46. activities, yet lets her reach any piece of the network. In more modern
  47. threat models such as Tor's, the adversary is allowed to perform active
  48. attacks such as modifying communications in hopes of tricking Alice
  49. into revealing her destination, or intercepting some of her connections
  50. to run a man-in-the-middle attack. But these systems still assume that
  51. Alice can eventually reach the anonymizing network.
  52. An increasing number of users are making use of the Tor software not
  53. so much for its anonymity properties but for its censorship resistance
  54. properties -- if they access Internet sites like Wikipedia and Blogspot
  55. via Tor, they are no longer affected by local censorship and firewall
  56. rules. In fact, an informal user study showed China as the third largest
  57. user base for Tor clients~\cite{geoip-tor}, with tens of thousands of
  58. people accessing the Tor network from China each day.
  59. The current Tor design is easy to block if the attacker controls Alice's
  60. connection to the Tor network -- by blocking the directory authorities,
  61. by blocking all the server IP addresses in the directory, or by filtering
  62. based on the signature of the Tor TLS handshake. Here we describe a
  63. design that builds upon the current Tor network to provide an anonymizing
  64. network that also resists this blocking.
  65. %And adding more different classes of users and goals to the Tor network
  66. %improves the anonymity for all Tor users~\cite{econymics,tor-weis06}.
  67. \section{Adversary assumptions}
  68. \label{sec:adversary}
  69. The history of blocking-resistance designs is littered with all sorts
  70. of conflicting assumptions about what adversaries to expect and what
  71. problems are in the critical path to a solution. Here we try to enumerate
  72. our best understanding of the current situation around the world.
  73. In the traditional security style, we aim to describe a strong attacker
  74. -- if we can defend against it, we inherit protection against weaker
  75. attackers as well. After all, we want a general design that will
  76. work for people in China, people in Iran, people in Thailand, people
  77. in firewalled corporate networks who can't get out to whistleblow,
  78. and people in whatever the next oppressive situation is. In fact, by
  79. designing with a variety of adversaries in mind, we can actually take
  80. advantage of the fact that adversaries will be in different stages of
  81. the arms race at each location.
  82. We assume there are three main network attacks by censors
  83. currently~\cite{clayton:pet2006}:
  84. \begin{tightlist}
  85. \item Block destination by automatically searching for certain strings
  86. in TCP packets.
  87. \item Block destination by manually listing its IP address at the
  88. firewall.
  89. \item Intercept DNS requests and give bogus responses for certain
  90. destination hostnames.
  91. \end{tightlist}
  92. We assume the network firewall has very limited CPU per
  93. connection~\cite{clayton:pet2006}. Against an adversary who spends
  94. hours looking through the contents of each packet, we would need
  95. some stronger mechanism such as steganography, which introduces its
  96. own problems~\cite{active-wardens,foo,bar}.
  97. We assume that readers of blocked content will not be punished much,
  98. relative to publishers. So far in places like China, the authorities
  99. mainly go after people who publish materials and coordinate organized
  100. movements against the state. If they find that a user happens to be
  101. reading a site that should be blocked, the typical response is simply
  102. to block the site. Of course, even with an encrypted connection,
  103. the adversary can observe whether Alice is mostly downloading
  104. bytes or mostly uploading them -- we discuss this issue more in
  105. Section~\ref{subsec:upload-padding}.
  106. We assume that while various different adversaries can coordinate and share
  107. notes, there will be a significant time lag between one attacker learning
  108. how to overcome a facet of our design and other attackers picking it up.
  109. (Corollary: in the early stages of deployment, the insider threat isn't
  110. as high of a risk.)
  111. We assume that our users have control over their hardware and
  112. software -- they don't have any spyware installed, there are no
  113. cameras watching their screen, etc. Unfortunately, in many situations
  114. such attackers are very real~\cite{zuckerman-threatmodels}; yet
  115. software-based security systems like ours are poorly equipped to handle
  116. a user who is entirely observed and controlled by the adversary. See
  117. Section~\ref{subsec:cafes-and-livecds} for more discussion of what little
  118. we can do about this issue.
  119. We assume that the user will fetch a genuine version of Tor, rather than
  120. one supplied by the adversary; see Section~\ref{subsec:trust-chain}
  121. for discussion on helping the user confirm that he has a genuine version
  122. and that he can connected to the real Tor network.
  123. \section{Related schemes}
  124. \subsection{public single-hop proxies}
  125. Anonymizer and friends
  126. \subsection{personal single-hop proxies}
  127. Psiphon, circumventor, cgiproxy.
  128. Simpler to deploy; can work without new client-side software.
  129. \subsection{JAP}
  130. Stefan's WPES paper is probably the closest related work, and is
  131. the starting point for the design in this paper.
  132. \subsection{break your sensitive strings into multiple tcp packets;
  133. ignore RSTs}
  134. \subsection{steganography}
  135. infranet
  136. \subsection{Internal caching networks}
  137. Freenet is deployed inside China and caches outside content.
  138. \subsection{Skype}
  139. port-hopping. encryption. voice communications not so susceptible to
  140. keystroke loggers (even graphical ones).
  141. \section{Components of the current Tor design}
  142. Tor provides three security properties:
  143. \begin{tightlist}
  144. \item 1. A local observer can't learn, or influence, your destination.
  145. \item 2. No single piece of the infrastructure can link you to your
  146. destination.
  147. \item 3. The destination, or somebody watching the destination,
  148. can't learn your location.
  149. \end{tightlist}
  150. We care most clearly about property number 1. But when the arms race
  151. progresses, property 2 will become important -- so the blocking adversary
  152. can't learn user+destination pairs just by volunteering a relay. It's not so
  153. clear to see that property 3 is important, but consider websites and
  154. services that are pressured into treating clients from certain network
  155. locations differently.
  156. Other benefits:
  157. \begin{tightlist}
  158. \item Separates the role of relay from the role of exit node.
  159. \item (Re)builds circuits automatically in the background, based on
  160. whichever paths work.
  161. \end{tightlist}
  162. \subsection{Tor circuits}
  163. can build arbitrary overlay paths given a set of descriptors~\cite{blossom}
  164. \subsection{Tor directory servers}
  165. central trusted locations that keep track of what Tor servers are
  166. available and usable.
  167. (threshold trust, so not quite so bad. See
  168. Section~\ref{subsec:trust-chain} for details.)
  169. \subsection{Tor user base}
  170. Hundreds of thousands of users from around the world. Some with publically
  171. reachable IP addresses.
  172. \section{Why hasn't Tor been blocked yet?}
  173. Hard to say. People think it's hard to block? Not enough users, or not
  174. enough ordinary users? Nobody has been embarrassed by it yet? "Steam
  175. valve"?
  176. \section{Components of a blocking-resistant design}
  177. Here we describe the new pieces we need to add to the current Tor design.
  178. \subsection{Bridge relays}
  179. Some Tor users on the free side of the network will opt to become
  180. \emph{bridge relays}. They will relay a small amount of bandwidth into
  181. the main Tor network, so they won't need to allow exits.
  182. They sign up on the bridge directory authorities (described below),
  183. and they use Tor to publish their descriptor so an attacker observing
  184. the bridge directory authority's network can't enumerate bridges.
  185. ...need to outline instructions for a Tor config that will publish
  186. to an alternate directory authority, and for controller commands
  187. that will do this cleanly.
  188. \subsection{The bridge directory authority (BDA)}
  189. They aggregate server descriptors just like the main authorities, and
  190. answer all queries as usual, except they don't publish full directories
  191. or network statuses.
  192. So once you know a bridge relay's key, you can get the most recent
  193. server descriptor for it.
  194. Since bridge authorities don't answer full network statuses, we
  195. need to add a new way for users to learn the current status for a
  196. single relay or a small set of relays -- to answer such questions as
  197. ``is it running?'' or ``is it behaving correctly?'' We describe in
  198. Section~\ref{subsec:enclave-dirs} a way for the bridge authority to
  199. publish this information without resorting to signing each answer
  200. individually.
  201. \subsection{Putting them together}
  202. If a blocked user has address information for one working bridge relay,
  203. then he can use it to make secure connections to the BDA to update his
  204. knowledge about other bridge
  205. relays, and he can make secure connections to the main Tor network
  206. and directory servers to build circuits and connect to the rest of
  207. the Internet.
  208. So now we've reduced the problem from how to circumvent the firewall
  209. for all transactions (and how to know that the pages you get have not
  210. been modified by the local attacker) to how to learn about a working
  211. bridge relay.
  212. The following section describes ways to bootstrap knowledge of your first
  213. bridge relay, and ways to maintain connectivity once you know a few
  214. bridge relays. (See Section~\ref{subsec:first-bridge} for a discussion
  215. of exactly what information is sufficient to characterize a bridge relay.)
  216. \section{Discovering and maintaining working bridge relays}
  217. Most government firewalls are not perfect. They allow connections to
  218. Google cache or some open proxy servers, or they let file-sharing or
  219. Skype or World-of-Warcraft connections through.
  220. For users who can't use any of these techniques, hopefully they know
  221. a friend who can -- for example, perhaps the friend already knows some
  222. bridge relay addresses.
  223. (If they can't get around it at all, then we can't help them -- they
  224. should go meet more people.)
  225. Thus they can reach the BDA. From here we either assume a social
  226. network or other mechanism for learning IP:dirport or key fingerprints
  227. as above, or we assume an account server that allows us to limit the
  228. number of new bridge relays an external attacker can discover.
  229. Going to be an arms race. Need a bag of tricks. Hard to say
  230. which ones will work. Don't spend them all at once.
  231. \subsection{Discovery based on social networks}
  232. A token that can be exchanged at the BDA (assuming you
  233. can reach it) for a new IP:dirport or server descriptor.
  234. The account server
  235. runs as a Tor controller for the bridge authority
  236. Users can establish reputations, perhaps based on social network
  237. connectivity, perhaps based on not getting their bridge relays blocked,
  238. (Lesson from designing reputation systems~\cite{p2p-econ}: easy to
  239. reward good behavior, hard to punish bad behavior.
  240. \subsection{How to allocate bridge addresses to users}
  241. Hold a fraction in reserve, in case our currently deployed tricks
  242. all fail at once -- so we can move to new approaches quickly.
  243. (Bridges that sign up and don't get used yet will be sad; but this
  244. is a transient problem -- if bridges are on by default, nobody will
  245. mind not being used.)
  246. Perhaps each bridge should be known by a single bridge directory
  247. authority. This makes it easier to trace which users have learned about
  248. it, so easier to blame or reward. It also makes things more brittle,
  249. since loss of that authority means its bridges aren't advertised until
  250. they switch, and means its bridge users are sad too.
  251. (Need a slick hash algorithm that will map our identity key to a
  252. bridge authority, in a way that's sticky even when we add bridge
  253. directory authorities, but isn't sticky when our authority goes
  254. away. Does this exist?)
  255. Divide bridges into buckets based on their identity key.
  256. [Design question: need an algorithm to deterministically map a bridge's
  257. identity key into a category that isn't too gameable. Take a keyed
  258. hash of the identity key plus a secret the bridge authority keeps?
  259. An adversary signing up bridges won't easily be able to learn what
  260. category he's been put in, so it's slow to attack.]
  261. One portion of the bridges is the public bucket. If you ask the
  262. bridge account server for a public bridge, it will give you a random
  263. one of these. We expect they'll be the first to be blocked, but they'll
  264. help the system bootstrap until it *does* get blocked, and remember that
  265. we're dealing with different blocking regimes around the world that will
  266. progress at different rates.
  267. The generalization of the public bucket is a bucket based on the bridge
  268. user's IP address: you can learn a random entry only from the subbucket
  269. your IP address (actually, your /24) maps to.
  270. Another portion of the bridges can be sectioned off to be given out in
  271. a time-release basis. The bucket is partitioned into pieces which are
  272. deterministically available only in certain time windows.
  273. And of course another portion is made available for the social network
  274. design above.
  275. Is it useful to load balance which bridges are handed out? The above
  276. bucket concept makes some bridges wildly popular and others less so.
  277. But I guess that's the point.
  278. \subsection{Bootstrapping: finding your first bridge}
  279. \label{subsec:first-bridge}
  280. Some techniques are sufficient to get us an IP address and a port,
  281. and others can get us IP:port:key. Lay out some plausible options
  282. for how users can bootstrap into learning their first bridge.
  283. \section{Security improvements}
  284. \subsection{Hiding Tor's network signatures}
  285. \label{subsec:enclave-dirs}
  286. The simplest format for communicating information about a bridge relay
  287. is as an IP address and port for its directory cache. From there, the
  288. user can ask the directory cache for an up-to-date copy of that bridge
  289. relay's server descriptor, to learn its current circuit keys, the port
  290. it uses for Tor connections, and so on.
  291. However, connecting directly to the directory cache involves a plaintext
  292. http request, so the censor could create a network signature for the
  293. request and/or its response, thus preventing these connections. Therefore
  294. we've modified the Tor protocol so that users can connect to the directory
  295. cache via the main Tor port -- they establish a TLS connection with
  296. the bridge as normal, and then send a Tor "begindir" relay cell to
  297. establish a connection to its directory cache.
  298. Predictable SSL ports:
  299. We should encourage most servers to listen on port 443, which is
  300. where SSL normally listens.
  301. Is that all it will take, or should we set things up so some fraction
  302. of them pick random ports? I can see that both helping and hurting.
  303. Predictable TLS handshakes:
  304. Right now Tor has some predictable strings in its TLS handshakes.
  305. These can be removed; but should they be replaced with nothing, or
  306. should we try to emulate some popular browser? In any case our
  307. protocol demands a pair of certs on both sides -- how much will this
  308. make Tor handshakes stand out?
  309. \subsection{Minimum info required to describe a bridge}
  310. In the previous subsection, we described a way for the bridge user
  311. to bootstrap into the network just by knowing the IP address and
  312. Tor port of a bridge. What about local spoofing attacks? That is,
  313. since we never learned an identity key fingerprint for the bridge,
  314. a local attacker could intercept our connection and pretend to be
  315. the bridge we had in mind. It turns out that giving false information
  316. isn't that bad -- since the Tor client ships with trusted keys for the
  317. bridge directory authority and the Tor network directory authorities,
  318. the user can learn whether he's being given a real connection to the
  319. bridge authorities or not. (If the adversary intercepts every connection
  320. the user makes and gives him a bad connection each time, there's nothing
  321. we can do.)
  322. What about anonymity-breaking attacks from observing traffic? Not so bad
  323. either, since the adversary could do the same attacks just by monitoring
  324. the network traffic.
  325. Once the Tor client has fetched the bridge's server descriptor at least
  326. once, he should remember the identity key fingerprint for that bridge
  327. relay. Thus if the bridge relay moves to a new IP address, the client
  328. can then query the bridge directory authority to look up a fresh server
  329. descriptor using this fingerprint.
  330. So we've shown that it's \emph{possible} to bootstrap into the network
  331. just by learning the IP address and port of a bridge, but are there
  332. situations where it's more convenient or more secure to learn its
  333. identity fingerprint at the beginning too? We discuss that question
  334. more in Section~\ref{sec:bootstrapping}, but first we introduce more
  335. security topics.
  336. \subsection{Scanning-resistance}
  337. If it's trivial to verify that we're a bridge, and we run on a predictable
  338. port, then it's conceivable our attacker would scan the whole Internet
  339. looking for bridges. (In fact, he can just scan likely networks like
  340. cablemodem and DSL services -- see Section~\ref{block-cable} for a related
  341. attack.) It would be nice to slow down this attack. It would
  342. be even nicer to make it hard to learn whether we're a bridge without
  343. first knowing some secret.
  344. \subsection{Password protecting the bridges}
  345. Could provide a password to the bridge user. He provides a nonced hash of
  346. it or something when he connects. We'd need to give him an ID key for the
  347. bridge too, and wait to present the password until we've TLSed, else the
  348. adversary can pretend to be the bridge and MITM him to learn the password.
  349. \subsection{Observers can tell who is publishing and who is reading}
  350. \label{subsec:upload-padding}
  351. Should bridge users sometimes send bursts of long-range drop cells?
  352. \subsection{Anonymity effects from becoming a bridge relay}
  353. Against some attacks, becoming a bridge relay can improve anonymity. The
  354. simplest example is an attacker who owns a small number of Tor servers. He
  355. will see a connection from the bridge, but he won't be able to know
  356. whether the connection originated there or was relayed from somebody else.
  357. There are some cases where it doesn't seem to help: if an attacker can
  358. watch all of the bridge's incoming and outgoing traffic, then it's easy
  359. to learn which connections were relayed and which started there. (In this
  360. case he still doesn't know the final destinations unless he is watching
  361. them too, but in this case bridges are no better off than if they were
  362. an ordinary client.)
  363. There are also some potential downsides to running a bridge. First, while
  364. we try to make it hard to enumerate all bridges, it's still possible to
  365. learn about some of them, and for some people just the fact that they're
  366. running one might signal to an attacker that they place a high value
  367. on their anonymity. Second, there are some more esoteric attacks on Tor
  368. relays that are not as well-understood or well-tested -- for example, an
  369. attacker may be able to ``observe'' whether the bridge is sending traffic
  370. even if he can't actually watch its network, by relaying traffic through
  371. it and noticing changes in traffic timing~\cite{attack-tor-oak05}. On
  372. the other hand, it may be that limiting the bandwidth the bridge is
  373. willing to relay will allow this sort of attacker to determine if it's
  374. being used as a bridge but not whether it is adding traffic of its own.
  375. It is an open research question whether the benefits outweigh the risks. A
  376. lot of the decision rests on which the attacks users are most worried
  377. about. For most users, we don't think running a bridge relay will be
  378. that damaging.
  379. \subsection{Trusting local hardware: Internet cafes and LiveCDs}
  380. \label{subsec:cafes-and-livecds}
  381. Assuming that users have their own trusted hardware is not
  382. always reasonable.
  383. For Internet cafe Windows computers that let you attach your own USB key,
  384. a USB-based Tor image would be smart. There's Torpark, and hopefully
  385. there will be more options down the road. Worries about hardware or
  386. software keyloggers and other spyware -- and physical surveillance.
  387. If the system lets you boot from a CD or from a USB key, you can gain
  388. a bit more security by bringing a privacy LiveCD with you. Hardware
  389. keyloggers and physical surveillance still a worry. LiveCDs also useful
  390. if it's your own hardware, since it's easier to avoid leaving breadcrumbs
  391. everywhere.
  392. \subsection{Forward compatibility and retiring bridge authorities}
  393. Eventually we'll want to change the identity key and/or location
  394. of a bridge authority. How do we do this mostly cleanly?
  395. \section{Performance improvements}
  396. \subsection{Fetch server descriptors just-in-time}
  397. I guess we should encourage most places to do this, so blocked
  398. users don't stand out.
  399. \section{Other issues}
  400. \subsection{How many bridge relays should you know about?}
  401. If they're ordinary Tor users on cable modem or DSL, many of them will
  402. disappear and/or move periodically. How many bridge relays should a
  403. blockee know
  404. about before he's likely to have at least one reachable at any given point?
  405. How do we factor in a parameter for "speed that his bridges get discovered
  406. and blocked"?
  407. The related question is: if the bridge relays change IP addresses
  408. periodically, how often does the bridge user need to "check in" in order
  409. to keep from being cut out of the loop?
  410. \subsection{How do we know if a bridge relay has been blocked?}
  411. We need some mechanism for testing reachability from inside the
  412. blocked area.
  413. The easiest answer is for certain users inside the area to sign up as
  414. testing relays, and then we can route through them and see if it works.
  415. First problem is that different network areas block different net masks,
  416. and it will likely be hard to know which users are in which areas. So
  417. if a bridge relay isn't reachable, is that because of a network block
  418. somewhere, because of a problem at the bridge relay, or just a temporary
  419. outage?
  420. Second problem is that if we pick random users to test random relays, the
  421. adversary should sign up users on the inside, and enumerate the relays
  422. we test. But it seems dangerous to just let people come forward and
  423. declare that things are blocked for them, since they could be tricking
  424. us. (This matters even moreso if our reputation system above relies on
  425. whether things get blocked to punish or reward.)
  426. Another answer is not to measure directly, but rather let the bridges
  427. report whether they're being used. If they periodically report to their
  428. bridge directory authority how much use they're seeing, the authority
  429. can make smart decisions from there.
  430. If they install a geoip database, they can periodically report to their
  431. bridge directory authority which countries they're seeing use from. This
  432. might help us to track which countries are making use of Ramp, and can
  433. also let us learn about new steps the adversary has taken in the arms
  434. race. (If the bridges don't want to install a whole geoip subsystem, they
  435. can report samples of the /24 network for their users, and the authorities
  436. can do the geoip work. This tradeoff has clear downsides though.)
  437. Worry: adversary signs up a bunch of already-blocked bridges. If we're
  438. stingy giving out bridges, users in that country won't get useful ones.
  439. (Worse, we'll blame the users when the bridges report they're not
  440. being used?)
  441. Worry: the adversary could choose not to block bridges but just record
  442. connections to them. So be it, I guess.
  443. \subsection{How to learn how well the whole idea is working}
  444. We need some feedback mechanism to learn how much use the bridge network
  445. as a whole is actually seeing. Part of the reason for this is so we can
  446. respond and adapt the design; part is because the funders expect to see
  447. progress reports.
  448. The above geoip-based approach to detecting blocked bridges gives us a
  449. solution though.
  450. \subsection{Cablemodem users don't provide important websites}
  451. \label{subsec:block-cable}
  452. ...so our adversary could just block all DSL and cablemodem networks,
  453. and for the most part only our bridge relays would be affected.
  454. The first answer is to aim to get volunteers both from traditionally
  455. ``consumer'' networks and also from traditionally ``producer'' networks.
  456. The second answer (not so good) would be to encourage more use of consumer
  457. networks for popular and useful websites.
  458. Other attack: China pressures Verizon to discourage its users from
  459. running bridges.
  460. \subsection{The trust chain}
  461. \label{subsec:trust-chain}
  462. Tor's ``public key infrastructure'' provides a chain of trust to
  463. let users verify that they're actually talking to the right servers.
  464. There are four pieces to this trust chain.
  465. Firstly, when Tor clients are establishing circuits, at each step
  466. they demand that the next Tor server in the path prove knowledge of
  467. its private key~\cite{tor-design}. This step prevents the first node
  468. in the path from just spoofing the rest of the path. Secondly, the
  469. Tor directory authorities provide a signed list of servers along with
  470. their public keys --- so unless the adversary can control a threshold
  471. of directory authorities, he can't trick the Tor client into using other
  472. Tor servers. Thirdly, the location and keys of the directory authorities,
  473. in turn, is hard-coded in the Tor source code --- so as long as the user
  474. got a genuine version of Tor, he can know that he is using the genuine
  475. Tor network. And lastly, the source code and other packages are signed
  476. with the GPG keys of the Tor developers, so users can confirm that they
  477. did in fact download a genuine version of Tor.
  478. But how can a user in an oppressed country know that he has the correct
  479. key fingerprints for the developers? As with other security systems, it
  480. ultimately comes down to human interaction. The keys are signed by dozens
  481. of people around the world, and we have to hope that our users have met
  482. enough people in the PGP web of trust~\cite{pgp-wot} that they can learn
  483. the correct keys. For users that aren't connected to the global security
  484. community, though, this question remains a critical weakness.
  485. % XXX make clearer the trust chain step for bridge directory authorities
  486. \subsection{How to motivate people to run bridge relays}
  487. One of the traditional ways to get people to run software that benefits
  488. others is to give them motivation to install it themselves. An often
  489. suggested approach is to install it as a stunning screensaver so everybody
  490. will be pleased to run it. We take a similar approach here, by leveraging
  491. the fact that these users are already interested in protecting their
  492. own Internet traffic, so they will install and run the software.
  493. Make all Tor users become bridges if they're reachable -- needs more work
  494. on usability first, but we're making progress.
  495. Also, we can make a snazzy network graph with Vidalia that emphasizes
  496. the connections the bridge user is currently relaying. (Minor anonymity
  497. implications, but hey.) (In many cases there won't be much activity,
  498. so this may backfire. Or it may be better suited to full-fledged Tor
  499. servers.)
  500. \subsection{What if the clients can't install software?}
  501. Bridge users without Tor clients
  502. Bridge relays could always open their socks proxy. This is bad though,
  503. firstly
  504. because they learn the bridge users' destinations, and secondly because
  505. we've learned that open socks proxies tend to attract abusive users who
  506. have no idea they're using Tor.
  507. Bridges could require passwords in the socks handshake (not supported
  508. by most software including Firefox). Or they could run web proxies
  509. that require authentication and then pass the requests into Tor. This
  510. approach is probably a good way to help bootstrap the Psiphon network,
  511. if one of its barriers to deployment is a lack of volunteers willing
  512. to exit directly to websites. But it clearly drops some of the nice
  513. anonymity features Tor provides.
  514. \section{Future designs}
  515. \subsection{Bridges inside the blocked network too}
  516. Assuming actually crossing the firewall is the risky part of the
  517. operation, can we have some bridge relays inside the blocked area too,
  518. and more established users can use them as relays so they don't need to
  519. communicate over the firewall directly at all? A simple example here is
  520. to make new blocked users into internal bridges also -- so they sign up
  521. on the BDA as part of doing their query, and we give out their addresses
  522. rather than (or along with) the external bridge addresses. This design
  523. is a lot trickier because it brings in the complexity of whether the
  524. internal bridges will remain available, can maintain reachability with
  525. the outside world, etc.
  526. Hidden services as bridges. Hidden services as bridge directory authorities.
  527. \bibliographystyle{plain} \bibliography{tor-design}
  528. \end{document}