
Surveillance Self-Defense International - zoowar
https://www.eff.org/wp/surveillance-self-defense-international
======
nitrogen
What prevents a government from setting up hundreds of its own Tor relay and
exit nodes and connecting the dots?

~~~
samdk
The short answer: not a whole lot. A government or other entity with enough
resources could probably compromise the anonymity of a significant amount of
the traffic going through Tor. It's generally accepted that if an attacker
controls the first and last router in a circuit then they can use timing
attacks to compromise that circuit's anonymity. (And if an attacker controls
all three routers they definitely can.)

The long answer: Tor does some things with circuit creation to try to make
this kind of attack a lot more difficult. In general, clients will attempt to
choose geographically distributed routers to go together on a circuit. (I
believe the restriction is that they won't choose multiple relays on the same
/16 subnet--certainly not an infallible measure, but it does make it more
difficult to control multiple routers on a single circuit.)

Another countermeasure is the use of _guard nodes_. Guard nodes are generally
fast, long-running routers that serve as the entry points onto Tor. Clients
with guards enabled (and they're enabled by default) have a list of 3 guard
nodes, which they will try to use if at all possible as the first router on
any circuits they create. (If all of those guards go down, they'll pick more.)
The reasoning is that without guards, if there's someone who's trying to
attack Tor by controlling routers, eventually you're going to create enough
circuits that at least one gets compromised. With guards, some people will get
unlucky and potentially have a lot more of their traffic compromised, but
others will be much safer. Also, because guards stay relatively static over
time (and because it takes a few weeks to be considered stable enough to be a
guard), any attacker just setting up a ton of routers isn't going to be able
to immediately compromise a ton of traffic.

(Of course, there are other attacks too, which don't necessarily require
controlling nearly as many routers. Tor is very far from perfect. Designing a
good general-purpose low-latency anonymity system is very difficult.)

My experience: I've been doing research related to Tor for the past two and a
half years, and my undergrad thesis (which I'm working on right now) is a
practical evaluation of the attacks that do exactly this kind of end-to-end
correlation.

I don't have time right now to list specific citations for all of the above,
but it's pretty much all covered by papers in the Free Haven Anonymity
Bibliography (<http://www.freehaven.net/anonbib/>) and the Tor spec documents,
and I'd be happy to come fill them in later if people want.

~~~
SageRaven
Does introducing chaff into your traffic help against timing attacks? I was
using TOR for 100% of my traffic for a few months a few years ago, as part of
a feasibility experiment. I read of these timing/correlation attacks, so I
wrote a few crude scripts that would crawl/mirror random pages constantly in
the background, my theory being that having traffic all the time would (at the
least) not notify "them" when I was browsing and at best reduce/eliminate the
ability to see exactly what I was truly browsing.

