Opened 4 years ago

Closed 9 months ago

#13843 closed enhancement (fixed)

Add a faq entry for "You should change path selection to avoid entering and exiting from the same country."

Reported by: arma Owned by: cypherpunks
Priority: Medium Milestone: website redesign
Component: Webpages/Website Version:
Severity: Normal Keywords: website-content, FAQ
Cc: sjmurdoch, asn, NickHopper, g.danezis@…, amj703 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description makes me realize that this is an ongoing question and I expect it will come up more with the new Torbutton interface for visualizing your paths.

What should users actually do with the information that, for example, their first hop and last hop are both in the US?

If we have an actual recommendation, we should change Tor to do that thing automatically.

I think the current situation is that there are many attacks and adversaries that Tor is trying to defend against at once, and constraining paths has surprising trickle-down effects on the other attacks (e.g. if I see where you exit then I know where you *didn't* enter, thus reducing your entropy, sometimes by a surprising amount depending on what path constraints we pick).

So the current advice amounts to "don't mess with it, you'll probably screw it up, we don't understand it very well either". We should figure out a way to concisely give people all the intuition that we have, so they can make good decisions.

Child Tickets

Change History (12)

comment:1 Changed 4 years ago by arma

This could also be a full-blown (i.e. three+ paragraph) blog post with a pointer to it from the faq.

comment:2 Changed 4 years ago by gdanezis

I concur that restricting the exit relay on the basis of the entry relay's location leaks information. An adversary that may force a user to open multiple circuits will be able to observe many exit relays, and by omission would may learn the location of the entry guard or guards (as suggested above).

Furthermore, it is not only the location of the guard that is only sensitive but (a) the location of the client and destination and (b) the network links traversed between the client and the first routers, and the last router and destination. The extensive work on AS-sensitive selection might provide a guide on how to deal with those, but I am unconvinced there is a consensus on how to best chose those under dynamic network condition and partial information about the topology.

comment:3 Changed 4 years ago by amj703

I agree with George, although I don't think that choosing guards and exits in different countries has any absolutely killer flaws. The biggest problems I see with the idea are

  1. If the adversary can link together connections by the same pseudonymous user over time (say by monitoring a website that you log into), then he can get an idea of which countries your guards are located in. This is slowed down by the fact that you randomly switch among your guards, although if you move to one guard, then it won't be.
  2. The same "linking" adversary could be able to determine when exits from certain countries are being avoided (again, made easier the fewer guards that you have), thus revealing a non-standard use of Tor that may be uncommon and identifying.
  3. The adversary can attract more users to his guards and exits without adding more bandwidth by placing them in rare countries. But really the way Tor should respond to this is to become more diverse as a result of it mattering more.

However, as George also mentioned, my biggest problem with this idea is that it doesn't seem to be a particularly useful defense in the first place. What attack does it prevent? An adversary that is only willing or able to do traffic correlation at the relays? I'm not sure why you'd think that he's constrained so strongly to borders, or why he wouldn't also be willing to run exit relays conveniently placed outside of the country, or why he wouldn't be willing to do surveillance on user or destination locations (especially targeted ones).

And once you do start thinking about taking into account client and destination countries when selecting paths, then you really open yourself up to revealing the client or destination location over time. I had to deal with these issues when designing the Trust-Aware Path Selection algorithm (TAPS) that Paul talked about at the last SAFER PI meeting.

comment:4 Changed 2 years ago by Sebastian

Owner: changed from Sebastian to cypherpunks
Status: newassigned

comment:5 Changed 22 months ago by hiro

Keywords: website-content added
Severity: Normal

comment:6 Changed 14 months ago by hiro

Milestone: website redesign

comment:7 Changed 9 months ago by traumschule

Keywords: FAQ added

comment:8 Changed 9 months ago by traumschule

Status: assignedneeds_information

Before changing the website I'd like to confirm that Tor's behavior on this did not change in the last 4 years. If not what should be added exactly? I was under the impression that tor's defaults are sensible and meddling with the circuit path does not improve my anonymity / privacy.

comment:9 in reply to:  8 Changed 9 months ago by teor

Replying to traumschule:

Before changing the website I'd like to confirm that Tor's behavior on this did not change in the last 4 years.

Tor's behaviour has not changed.

If not what should be added exactly? I was under the impression that tor's defaults are sensible and meddling with the circuit path does not improve my anonymity / privacy.

In general, changing Tor's path selection makes your client look different from other clients. Picking your entry and exit in different countries is not a good defence, because it only defends against adversaries that are unable to rent servers in other countries.

comment:10 Changed 9 months ago by traumschule

Status: needs_informationneeds_review

Thanks for the fast reply!

I create a PR to add this under Alternate designs that we don't do (yet):

Might however also fit in any of:

  • Tor Browser (general)
  • Advanced Tor usage
  • Anonymity and Security

The comment arma mentioned was:

I really like the new feature that allows us to see where the used relays are located.
That made me see a security threat - sometimes all three relays are based in the same country or the entry and exit. I think there should be additional code added to make sure this never happens, imagine the chaos when exit and entry node is from the USA and controlled by NSA. Overall the Tor Browser 4.5-alpha-1 is great.

comment:11 Changed 9 months ago by teor

Status: needs_reviewmerge_ready

Looks good to me

comment:12 Changed 9 months ago by traumschule

Resolution: fixed
Status: merge_readyclosed


Note: See TracTickets for help on using tickets.