On Mon, Sep 16, 2013 at 07:55:08PM -0300, Juan Garofalo wrote: [SNIP] > >> > >> There's an interesting ambiguity here, it seems. First it's > >> stated that onion routing doesn't protect against 'big' (in > >> network terms) adversaries. But then no hard data is given > >> about how 'big' the adversaries really are. > > > >Ermm. I pointed you at our paper, the first paper attempting to > >quantify that in a meaningful way using the best available data. > >And, as I recall you thanked me for it. > > > Yes. I took a quick look at it first and asked how those > results affected hidden services, but I didn't get an > answer.
People have not yet done that work for hidden services. Not because they are uninterested but because there is so much to do and only so much time to do it in. Actually the existence of guard nodes, whose configuration plays such a large role in those results, itself came about because of research the Lasse Overlier and I did on finding hidden services, (published 2006 I think). But the solution of using guards is itself a version of something described in earlier work by Wright et al. in c. 2002, when they introduced "helper nodes" as something to address the more general issue for lots of different anonymity designs, not just Tor, which did not even have a published design yet. For recent advances in attacks on hidden services cf. "Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization" by Biryukov et al. Many of the issues have since been address or are the subject of design changes that are being discussed for Tor now. See the relevant trac tickets and Tor proposals. > > I've now read it thoroughly. The use of an internet map and > circuit simulator is interesting. So, after something like > ten years, there's an analysis that tries to get a complete > and quantified picture of the system. Better late than > never, I guess. I hope the above paragraph shows you that these things take a lot of time. If you wanted those things all done before Tor was deployed, Tor would never have been deployed. Lots of the research depends on analyzing deployment and usage patterns on the real network. I think Tor and its analysis actually stands out as a huge success story for how much has been accomplished by how many people with how much funding. People involved with inventing, engineering and, deploying other significant systems are often astonished that it is not a much bigger operation with orders of magnitude more funding. The paper we've been talking about could not have been done in 2002, not just because there was no widely used and deployed Tor network to get data about, but because techniques and data for network measurement (general Internet not just Tor-network) were not as advanced or available. > > Maybe in 2002 the assumption that the internet was too big > and complex for it to be succesful monitored was correct, > but that assumption doesn't look too valid now? > What is technically possible and with what resources changes all the time. And as I have said, there's lots of work that needs to be done to say things that are meaningful, not just aphoristic about this. That's why knowledgeable people will always reject except as deceptive shorthand simple statements about whether _anything_ is safe, secure, anonymous, unable to be monitored, etc. They will attempt to turn these into questions about a particular class of adversary (amount of resources, dynamics of resource deployment, nature and target of attack) attacking a particular class of users engaging in a particular class of behavior, on a particular class and configuration of network. With perhaps minor tweaking, this is as true of someone examining the security of a class of crypto algorithms as of someone examining intrusion resilience of an enterprise network. > > > >> > >> How well is Tor preserving the anonimity of its users? Well, > >> there are "hard problems" to answer that question... > >> > > > >And yes, this is a hard problem. Science and technology are lousy with > >hard problems, and this is one of them. > > > I'm not denying it's a hard problem. And it's a hard problem > that doesn't help Tor's reputation since it makes it hard to > know how well Tor is performing. But you knew that. > This points at a different kind of hard problem. People working on Tor have tried to be clear all along about what it does and what it does not do, and be clear about how much is unknown subject to long scientific analysis. Tor has long been a model of openness that others point to for how to do it. But how and where to be clear is tricky. For example, for many years, the software used to say when firing up something like "This is experimental software. Do not rely on it for strong anonymity." At the same time however, other systems purported to offer similar protections would be marketed as offering rock solid protection or some such. People who, e.g., have lives that don't allow them to spend time reading and learning to understand research papers about the all the different technologies that they need to use every day, would understandably think that something called "rock solid" is better than something that is labeled by its own producer "for experimental use only", even if the latter is actually way more secure for their needs than the former. So in this context, it is deceptive and can put people at risk to call Tor experimental in the terse blurb that is all many users will see. So what's the most honest thing to do here? What you see is the current best attempt to cope with that. But like everything else, this is recognized as not settled once and for all and needs revisiting as time, resources, and which thing is most urgent permits. [SNIP] > >Those are merely hard problems rather than intractible ones, but feel > >free to look at whatever you like. I hope I'm not being too presumptuous > >in saying that you already have as much of an answer as those who > >work on Tor can give you about that. > > > Yes, I see that. I must admit I mostly got a fair hearing from you. > > > > >Well no not exactly. I was being a bit terse with "set up for", > > but I've already been overlong in so many respects. As Roger has already > >explained somewhere (I forget sorry) quite well: It's not enough to > >have open design. You need to have good documentation of the code and > >of the design > > > And that makes it easier for people to audit the system and > so the audit is more likely to happen, I see that. > > > Anyways, thanks for the discussion. [SNIP] Likewise. aloha, Paul -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
