Opened 4 years ago

Closed 2 years ago

#16979 closed defect (duplicate)

Prevent selection of ajacent nodes from the same cooperative jurisdictions

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: very long term
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: #22339 Points:
Reviewer: Sponsor:

Description

When the ajacent nodes are selected from the cooperative jurisdictions there is a chance that anonimity is undermined with sharing of the data from surveillance networks.

I propose
1 create an ajacency matrix Coop[i,j] describing jurisdictions cooperating. High values mean more cooperation, zero mean no cooperation above some ground level.
Coop[i,j]!=Coop[j,i] in general case, for example Germany shares more data with the US than the US with Germany.

2 Let i-th node have jurisdiction A_i.
Then the probability of taking any node with jurisdiction A_{i+1} as next hop should be
(number of jurisdictions)/Coop[A_i,A_{i+1}]

Child Tickets

Change History (3)

comment:1 Changed 4 years ago by arma

Component: - Select a componentTor
Milestone: Tor: very long term

This is a fine idea, except that restricting your path selection could harm your anonymity against *other* attackers. There's a balance to be made, and all the aspects to be balanced are not well-understood.

I recommend looking at
"20,000 In League Under the Sea: Anonymous Communication, Trust, MLATs, and Undersea Cables"
on https://petsymposium.org/2015/program.php as a paper that explores this option in more detail.

(After all, you don't just want to consider the location of the relay -- you want to consider what countries the traffic goes through on the way from one relay to the next, and back.)

Setting to 'very long term' milestone since there's plenty of research to be done first, and it's likely that this particular algorithm turns out not to be the best choice. (We might want to close the ticket eventually if it doesn't move forward more, on the theory that we know about the research area, and this particular ticket does not yet contribute much to the research area.)

comment:2 Changed 4 years ago by cypherpunks

At first I suggest to implement the case disallowing only the nodes from the same jurisdiction.

comment:3 Changed 2 years ago by nickm

Parent ID: #22339
Resolution: duplicate
Status: newclosed

Closing these tickets and reparenting them. Some big redesign may be a wise here, but tracking it across a bunch of different sub-tickets with different ideas is not going to make progress.

Note: See TracTickets for help on using tickets.