On 4/28/06, glymr <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Anthony DiPierro wrote: > > On 4/27/06, Ringo Kamens <[EMAIL PROTECTED]> wrote: > >> I don't really see anything wrong with it if you really want to do it. It > >> doesn't really increase anonymity, but it sounds good to me. I'm assuming > >> that tor2 sees the ip address of the tor 1 exit node. > >> > > > > The way I picture it it would basically be equivalent to adding extra > > hops. I remember reading this is possible to hack into the standard > > tor software, but I believe it requires a recompile and not just a > > config file tweak. > > > > Anyway, it is my understanding that the current default implementation > > uses three hops. Now am I correct that that includes the exit node? > > Does it also include the entry node which is generally on the same > > computer? > this is incorrect, the entry node, middleman node and exit node are > separate from the client. if one is running a tor server the entry > node is indeed the same node but remember a tor server is shuffling > every other packet from other circuits mixed in with yours, and thus > it seems logical that it would improve anonymity
OK, thanks for the correction. So the standard implementation (using privoxy and firefox, for instance), would be: firefox (local) -> privoxy (local) -> tor client (local) -> tor 1 (remote) -> tor 2 (remote) -> tor 3 (remote, exit node) -> webserver? > > If so, it seems that in the current default implementation only one > > compromised node, the middle node (working with the destination site), > > is needed to significantly impact your anonymity. The IP address of > > the exit node is generally recorded in web logs along with the time > > and date. So if the middle node records the incoming and outgoing > > node IP addresses, that can then be matched up with the web logs. If > > someone is using three hops the way I described it above, then the > > incoming IP address would be the address of the tor user, right? > > Sure, you'd have a little bit of plausible deniability, as there's no > > proof your system was set up this way, but that's it. > > > > Now hopefully I'm just wrong about what constitutes three hops (or > > that the default setting is three hops). Or maybe I'm missing > > something as to why this type of attack isn't possible. > > > > One thing seems almost certain, adding hops does increase the security > > against a compromised node attack. > > > > Anthony > a compromised node attack, on average, has to compromise 1/3 of the > entire tor network to get somewhere approaching good odds of being > able to identify the endpoints of circuits. possibly 2/3, but i'd say > 1/3 of nodes being compromised would give usable violation of the > system... as you may know, there is something like 300-400 servers in > the tor network now, to compromise it they'd have to put up like > 150-200 new compromised nodes, or hack and compromise 100-150, either > task is not trivial at all. Well, it's a matter of what type of odds are acceptable to you. If 1/100th of circuits are compromised, I'd consider that too high. Now under the diagram I drew above, that'd require about 1/10 of the nodes to be compromised. If you add in another hop, then 1/10th of the nodes being compromised would mean only 1/1000th of circuits were compromised. Or am I calculating something wrong? Anthony
