On Wed, Oct 14, 2020, 6:34 PM Peter Fairbrother <[email protected]> wrote:
> On 14/10/2020 18:22, jim bell wrote: > > > Last year, I tried to start a discussion to implement a new anonymity > router network, perhaps using the Raspberry Pi computers. I got a quote > for 500 Raspberry Pi's, at $70 each. I included a few ideas, some old, > some new: > > > > 1. Routers could be anywhere, but would include homes and small > businesses. Anyone who has an Internet service with an adequately-large > data cap. (Recently, I saw that CenturyLink had removed the data cap from > some of its internet services. especially fiber. > https://www.highspeedinternet.com/resources/which-internet-service-providers-have-data-caps#:~:text=CenturyLink%20has%20a%201%20TB,you'll%20enjoy%20unlimited%20data > . > > > > And their data caps, where they still exist, are 1 terabyte/month, > which I think would be plenty for an anonymity network. > > The problem is that a reliable cheap anonymising network for low-latency > traffic like web traffic is basically impossible. > > Tor is about as good as we can get. When I was designing m-o-o-t I > didn't include any web anonymiser for that reason. > > The problem is traffic volume and latency. If we want low-latency web > traffic - nowadays [1] that's less than 4 seconds - we can't include > fixed file sizes with realistic constraints on traffic. > > To put some BOTE numbers on that, suppose you want to provide for 1 > million concurrent users. You have about 150 TB per month user traffic > to play with (500 x 1TB, ~3 hops), 150 MB per month per user, or 450 Baud. > Could you explain your math here? How did 500TB/3 (am I wrong?) become 150MB? > Ouch. > > > 2. Extensive chaff. (which, of course, is an old idea, strangely > it's not yet implemented in TOR) > > Like fixed file sizes - essential for anonymity - chaff and covertraffic > takes too much traffic, see above. > I don't see how what you said above is related to whether the data is real or decoy. Obviously you would keep the sum of the two constant. > > 3. "Output nodes" would output only in encrypted form, so that people > generally could not get in trouble for acting as an output node: Their > output could be monitored, but not understood as to its content, since it > would look like random data. > > That doesn't work - the users want to connect to any web server > somewhere. You could enforce eg TLS but even that does not hide file > sizes.. > Enforcing TLS is much more reasonable nowadays. (You could add a plugin to use http tricks to hide file sizes.). Not what I would focus on once it gets nonsimple. > > 4. I also thought of an idea that such a network should implement > multiple algorithms for networking, simultaneously, limited only by > people's imaginations: People frequently talk about new ideas for > anonymity networks, but how might they try them out in practice? If an > anonymity network is fated to have ONLY ONE routing method, then all new > such methods cannot be easily developed: You'd have to physically build a > new network, along with all such associated costs, for each new routing > method. That's completely illogical. > > > > Should there be any limit to the number of kinds of routing done? > It's all software. One advantage of this feature is that all these > different routing algorithms are mixed together, such it should be harder to > > That's OK if you are doing development, but not for production - unless > the users decide the routing, as in eg Mixmaster. But you can't (or > shouldn't) use an anonymiser if you don't know whether it is going to work! > Seems reasonable to make this pluggable. Final use would need all users to look the same, and no exits have a predictable source. > > TOR is doubted for many good reasons, but if it is generally agreed that > some form of anonymizing network is needed, then people should be willing > to work to provide an alternative. > Seems to me the smaller it is to build the more likely it is to reach completion and use. > > I was at some of the early meetings when Roger Dingledene, Paul > Syverson, Lucky Green, Nick Matthewson, Len Sassaman, myself and others > were talking about a web anonymiser, which later became Tor. > > Other people at those meetings included many if not most of the top > anonymity researchers, and some of the top cryptographers, in the world > at that time. Tor was not conceived as is was by accident or in > ignorance [2], many people (including myself) thought it was about the > best that could be done. > > > Roger's thought was that TOR would make mass surveillance difficult and > it would be worth doing for that reason, even though it wouldn't prevent > targeted attacks by major adversaries. At a set of meetings the next > year Roger had gotten some funding, iirc from the US Navy, and Nick had > started work on coding. > > I bowed out almost immediately, Len and Lucky bowed out after a while, > because we knew it couldn't be done securely on the user level. > > After that I pretty much lost interest, though I did keep an eye on the > project. > > > > > The problem is that it's a super Zooko's triangle - you simply can't get > reliably anonymous, low-latency and cheap anonymous web traffic. > > You probably can't even get reliably anonymous and low-latency, at any > price. > > > > Peter Fairbrother > > > > [1] Acceptable low latencies vary according to use and user expectations > - fifteen years ago people would wait 20 seconds or more for a web page > to load, nowadays they lose interest at 4 seconds. Actually maybe less > now, that figure is several years old. And for interactive speech or > video latencies should be subsecond. > > [2] or with evil intent, at least from Roger and Nick. > > I don't think Paul had any evil intent either, but he was USN and is > therefore suspect. It's like my friend from GCHQ - we are friends and we > were sort-of colleagues until I retired, but it's a bit like having a > policeman live next door - even when you have done no wrong you are > always aware that he is a policeman. > My gut is that evil intent is pretty rare in a group of like-minded people putting work in. It's more likely people are acting on differing information or experiences, or can't escape something difficult. > > One curiousity, the .onion part of the TOR infrastructure was largely > driven by Paul. >
