On Sat, Oct 15, 2016 at 07:02:19PM -0400, Aaron Johnson wrote: > A concern with this proposal that I have not seen mentioned is that exit >pinning would cause the Tor path itself to leak more information about >the intended destination. For example, a destination could (possibly >without malicious intent) pin a single exit that is otherwise unlikely >to be used. Simply choosing that exit would thus make it appear much more >likely to be visiting that destination from the view of an adversary that >can identify the exit (e.g. by being chosen as the middle relay or by >performing a congestion attack that identifies relays on a circuit). This >gets worse when connections can be linked together as originating at the >same client because without pinning it is unlikely to repeatedly choose >the same exit (or from any small set of exits). Connections can be linked >as originating at the same client by the guard (or anybody observing a >guard) or by middle relays that observe the same guard being used in a >short period of time, indicating activity by the same client.
Whenever the Tor client gets told which exit to use for a circuit, it uses a 4-hop path for that circuit, i.e., it uses 3 hops like normal and then the fourth hop is the chosen exit. Though it's actually more complex than that, because if it knows it'll be using a 4-hop circuit, the 2nd and 3rd hop are both chosen like middles, so "like normal" is not wholly true. It's effectively like choosing a 3-hop internal circuit and then appending your chosen exit. So some of the attacks you worry about shouldn't work, but I bet some of them still would. --Roger _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
