|
|
@@ -107,14 +107,13 @@ and~\ref{sec:crossroads-technical} go on to describe the practical challenges,
|
|
|
both policy and technical respectively, that stand in the way of moving
|
|
|
from a practical useful network to a practical useful anonymous network.
|
|
|
|
|
|
-\section{What Is Tor}
|
|
|
+
|
|
|
+\section{Distributed trust: safety in numbers}
|
|
|
\label{sec:what-is-tor}
|
|
|
|
|
|
Here we give a basic overview of the Tor design and its properties. For
|
|
|
details on the design, assumptions, and security arguments, we refer
|
|
|
-the reader to~\cite{tor-design}.
|
|
|
-
|
|
|
-\subsection{Distributed trust: safety in numbers}
|
|
|
+the reader to the Tor design paper~\cite{tor-design}.
|
|
|
|
|
|
Tor provides \emph{forward privacy}, so that users can connect to
|
|
|
Internet sites without revealing their logical or physical locations
|
|
|
@@ -150,10 +149,6 @@ offering various kinds of services, such as web publishing or an instant
|
|
|
messaging server. Using Tor ``rendezvous points'', other Tor users can
|
|
|
connect to these hidden services, each without knowing the other's network
|
|
|
identity.
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
|
|
|
Tor attempts to anonymize the transport layer, not the application layer, so
|
|
|
application protocols that include personally identifying information need
|
|
|
@@ -185,7 +180,7 @@ Instead, to protect our networks from traffic analysis, we must
|
|
|
collaboratively blend the traffic from many organizations and private
|
|
|
citizens, so that an eavesdropper can't tell which users are which,
|
|
|
and who is looking for what information. By bringing more users onto
|
|
|
-the network, all users become more secure \cite{econymics}.
|
|
|
+the network, all users become more secure~\cite{econymics}.
|
|
|
|
|
|
Naturally, organizations will not want to depend on others for their
|
|
|
security. If most participating providers are reliable, Tor tolerates
|
|
|
@@ -196,12 +191,16 @@ hasn't been read or modified. This even works for Internet services that
|
|
|
don't have built-in encryption and authentication, such as unencrypted
|
|
|
HTTP or chat, and it requires no modification of those services to do so.
|
|
|
|
|
|
-weasel's graph of \# nodes and of bandwidth, ideally from week 0.
|
|
|
-
|
|
|
-Tor doesn't try to provide steg (but see Sec \ref{china}), or
|
|
|
-the other non-goals listed in tor-design.
|
|
|
+As of January 2005, the Tor network has grown to around a hundred servers
|
|
|
+on four continents, with a total capacity exceeding 1Gbit/s. Appendix A
|
|
|
+shows a graph of the number of working servers over time, as well as a
|
|
|
+graph of the number of bytes being handled by the network over time. At
|
|
|
+this point the network is sufficiently diverse for further development
|
|
|
+and testing; but of course we always encourage and welcome new servers
|
|
|
+to join the network.
|
|
|
|
|
|
-[arma will do this part]
|
|
|
+
|
|
|
+
|
|
|
|
|
|
Tor is not the only anonymity system that aims to be practical and useful.
|
|
|
Commercial single-hop proxies~\cite{anonymizer}, as well as unsecured
|
|
|
@@ -277,6 +276,7 @@ complicating factors:
|
|
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
in practice tor's threat model is based entirely on the goal of dispersal
|
|
|
and diversity. george and steven describe an attack \cite{draft} that
|
|
|
@@ -312,22 +312,22 @@ we also decided that it would probably be poor precedent to encourage
|
|
|
such use---even legal use that improves national security---and managed
|
|
|
to dissuade them.
|
|
|
|
|
|
-With this image issue in mind, here we discuss the Tor user base and
|
|
|
+With this image issue in mind, this section discusses the Tor user base and
|
|
|
Tor's interaction with other services on the Internet.
|
|
|
-\subsection{Image and reputability}
|
|
|
+
|
|
|
+\subsection{Image and security}
|
|
|
|
|
|
Image: substantial non-infringing uses. Image is a security parameter,
|
|
|
since it impacts user base and perceived sustainability.
|
|
|
|
|
|
-grab reputability paragraphs from usability.tex [arma will do this]
|
|
|
+good uses are kept private, bad uses are publicized. not good.
|
|
|
|
|
|
-A Tor gui, how jap's gui is nice but does not reflect the security
|
|
|
-they provide.
|
|
|
Public perception, and thus advertising, is a security parameter.
|
|
|
|
|
|
-good uses are kept private, bad uses are publicized. not good.
|
|
|
-
|
|
|
users do not correlate to anonymity. arma will do this.
|
|
|
+Communicating security levels to the user
|
|
|
+A Tor gui, how jap's gui is nice but does not reflect the security
|
|
|
+they provide.
|
|
|
|
|
|
\subsection{Usability and bandwidth and sustainability and incentives}
|
|
|
|
|
|
@@ -346,6 +346,35 @@ less useful it seems it is.
|
|
|
|
|
|
[nick will write this section]
|
|
|
|
|
|
+\subsection{Reputability}
|
|
|
+
|
|
|
+Yet another factor in the safety of a given network is its reputability:
|
|
|
+the perception of its social value based on its current users. If I'm
|
|
|
+the only user of a system, it might be socially accepted, but I'm not
|
|
|
+getting any anonymity. Add a thousand Communists, and I'm anonymous,
|
|
|
+but everyone thinks I'm a Commie. Add a thousand random citizens (cancer
|
|
|
+survivors, privacy enthusiasts, and so on) and now I'm hard to profile.
|
|
|
+
|
|
|
+The more cancer survivors on Tor, the better for the human rights
|
|
|
+activists. The more script kiddies, the worse for the normal users. Thus,
|
|
|
+reputability is an anonymity issue for two reasons. First, it impacts
|
|
|
+the sustainability of the network: a network that's always about to be
|
|
|
+shut down has difficulty attracting and keeping users, so its anonymity
|
|
|
+set suffers. Second, a disreputable network attracts the attention of
|
|
|
+powerful attackers who may not mind revealing the identities of all the
|
|
|
+users to uncover a few bad ones.
|
|
|
+
|
|
|
+While people therefore have an incentive for the network to be used for
|
|
|
+``more reputable'' activities than their own, there are still tradeoffs
|
|
|
+involved when it comes to anonymity. To follow the above example, a
|
|
|
+network used entirely by cancer survivors might welcome some Communists
|
|
|
+onto the network, though of course they'd prefer a wider variety of users.
|
|
|
+
|
|
|
+The impact of public perception on security is especially important
|
|
|
+during the bootstrapping phase of the network, where the first few
|
|
|
+widely publicized uses of the network can dictate the types of users it
|
|
|
+attracts next.
|
|
|
+
|
|
|
\subsection{Tor and file-sharing}
|
|
|
|
|
|
[nick will write this section]
|
|
|
@@ -951,6 +980,7 @@ network. We need to be more aware of the anonymity properties of various
|
|
|
approaches we can make better design decisions in the future.
|
|
|
|
|
|
\subsection{The China problem}
|
|
|
+\label{subsec:china}
|
|
|
|
|
|
Citizens in a variety of countries, such as most recently China and
|
|
|
Iran, are periodically blocked from accessing various sites outside
|
Roger Dingledine