On Thu, Jul 07, 2016 at 10:57:00PM +0000, Patrick Schleizer wrote: > scenario A) > > Let's assume someone's Tor client picked an entry guard on IP > AAA.BBB.CCC.EEE. And then [without knowing and/or by chance] tried to > make a torified connection to [1] IP AAA.BBB.CCC.EEE. > > - Would Tor use that entry guard to establish the connection?
Yes. In fact, generally Tor clients go to domain names, not to straight IP addresses, so the client wouldn't even know whether it's in this situation until it was most of the way through making the request. (Also, DNS isn't signed or anything, so you should imagine all the terrible things that could happen if we make clients change their guard selection based on destination IP address, yet exit relays can lie however they like about what IP address the destination supposedly maps to.) > - If so, wouldn't that open up for an end-to-end corelation attack? Yes. > - Does it make a difference if the torified connection is to > AAA.BBB.CCC.EEE or AAA.BBB.CCC.EEF? No. But speaking of all this, see also the research papers proposing to modify route selection to reduce the chance of the same Autonomous System (AS) appearing on two parts of the path. The most recent one is "DeNASA: Destination-Naive AS-Awareness in Anonymous Communications" by Armon Barton and Matthew Wright, and it should become available shortly as it will be presented at PETS in just a few weeks. But the summary of that paper is that clients should pick their guard based on their local IP address and on the common destinations that clients might often go to, to reduce the chance of picking a guard from a network location that will see a lot of their exit traffic too. > ##### > > difference scenario B) > > Let's assume someone using WiFi with IP WWW.XXX.YYY.ZZZ starts Tor for > the first time. Its Tor client picked an entry guard on IP > AAA.BBB.CCC.EEE. Now, the user leaves that WiFi and uses another Wifi > with IP AAA.BBB.CCC.EEE or AAA.BBB.CCC.FFF. > > - Would Tor be clever enough to move on to another entry guard? No. How can we know whether the user has changed location a lot or a little? IP addresses can be wildly different yet still located in the same building, and we certainly wouldn't want to keep shifting guards too much. Also, if we *did* shift guards, should we shift back if we went back to the old location? Does that mean Tor should keep track (on disk of course) of its previous locations? Can a hostile DHCP server offer an IP address from a suspected previous location and then see which guard the client opts to use? > - What if the user was using a bridge on IP AAA.BBB.CCC.EEE? Would to be > refusing that bridge? No. For a related (not the same) edge case, see also https://trac.torproject.org/projects/tor/ticket/2998 --Roger -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
