Robert, > At first glance your statement above could be taken to suggest that Onyx > provides provably better anonymity than Tor. A second reading suggests > that you are merely claiming Onyx deploys additional techniques that are > regularly investigated for their anonymity properties, while at the same > time overcoming certain attacks that Tor is still susceptible to.
As there is no metric for measuring anonymity, it would be accurate to say that it is not going to be provable. What we can do is say such a property reasonably appears to exist, and make our determinations from there. > Would you agree that: > > - Onyx has not been the subject of independent analysis thus far, so its > anonymity properties are an open question. One problem with the idea of "independent analysis" when applied to technology, is that it requires that there is an independent analyst with equivalent or superior knowledge to the system provider and tools with which to measure a test, and a metric for measurement. Anything less and you end up with an estimation that is less matched to the analyst's ability, and more synchronized to the analyst himself. If you are providing a system with young technologies implemented in a unique manner, you are unlikely to find an independent analyst with mastery in these implementations, or the ability to test, much less measure the veracity of such claims. The use of independent analysis will probably come down to warm fuzzies regarding your trust of the reputation / authority of the analyst, instead of measurement of the system itself. Even then, he can only say at best that it *appears* to have these properties. However, logically it is possible to disprove claims. If we could agree on the mastery of the analyst, and his/her independence, then I don't see why we wouldn't allow such attempts. Unfortunately, the best possible result you can hope for from the analyst is "I couldn't break the system, it appears to be what is purports" which isn't going to be an affirmative response, and would be the same response given by any less-than-qualified analyst. This is where we get back to needing a metric to measure anonymity, otherwise we are snipe-hunting for warm fuzzies. Would you agree? > - Some of the features you describe are not proven to provide better > anonymity (e.g. traffic padding). As there is no metric of measuring anonymity, it would be a moot point to say there is a technically "better" anonymity. What we can say is this provides what appears to be better anonymity because of a sound design. In this specific instance, the matter is that padding increases the opacity of the context of a transmission. This generally assumes that the less accurate data an adversary has to perform traffic analysis, the weaker the signal intelligence and thus the better the anonymity will be. Perhaps an analogy would be two gifts under a Christmas tree. One is shrink-wrapped and you can clearly see the outline of the object and the other is padded in a box. To a casual observer, I could estimate that it is easier to determine the contents of the shrink-wrapped item rather than the item in the box. Probably not the best analogy, but just at the top of the mind. > - Onyx's immunity to sybil attacks and exit node injection is not explicit > in its design. This immunity depends on the behaviour of the network > operators. That is correct, we verify the integrity of the nodes and extend commensurate trust to the operators of those nodes, which is based on a reputation system. A pertinent difference is that operators do not volunteer, they are only invited, so there is little opportunity for malicious nodes. > - Are there plans afoot to open Onyx to independent investigation without > becoming a paying customer? Does the design of the Onyx network allow such > investigation? If a metric for measuring anonymity is established, I think we would gladly welcome such an investigation. > - Isn't the use of a small number of privately, centrally owned servers to > provide an anonymity network inherently problematic? Doesn't the anonymity > of the client on such a network depend almost completely on the integrity > of the network operator (i.e. xerobank)? The network node ownership and operation is completely decentralized and distributed. Nodes are owned and operated by different corporations in unique jurisdictions, differing from the location of the nodes they operate. > Apologies if some of my questions/assumptions above could be answered or > contradicted by reading the whitepaper in full, but I'm sure they > represent the sentiments of many readers on this list who are a little > skeptical of what kind of beast Onyx actually is but aren't prepared to > analyse it in any depth. This would certainly be a good opportunity for > clearing such matters up with or-talk cynics such as myself. It's my pleasure. These are complicated subjects to say the least. Steve
