Joho the Blog
An Entry from the Archives

Roger Dingledine of the Free Haven Project is giving a lunchtime talk about The Onion Router (TOR), an anonymizing router. It's open source, of course. "We probably have hundreds of thousands of users, although it's a little hard to tell because we're an anonymity system." It's mainly used by people in Western countries who don't want to be traced by advertisers, as opposed to being used by dissidents in China or Iran. [As always, I'm paraphrasing and occasionally guessing.]

Encryption doesn't mask how much you say, when you say it, etc. So, more anonymity is needed. Anonymity is important for privacy, network security and traffic-analysis resistant networks...three ways of spinning the same idea. Citizens, businesses and government need anonymity. E.g., the CIA's anonymous tip line encrypts the tip but the fact that you submitted a tip can still be traced. "How much would you bid for a list of IP addresses in Baghdad that's getting messages from the CIA?" By putting all of these users onto the same server, the fact that they're using it tells you little.

Official Google policy is that they don't collect personal info. They "only" collect your IP address and what you do with it. But that's way too much, Roger implies. In fact, he says, if you can see both sides of a Net transaction such as email, you can match up the IP addresses or the contents and make good, practical guesses about who's talking.

Ethan Zuckerman points out that if you're the only person using TOR in, say, Sudan, you can probably be identified. Roger says that that's not something it'd be easy to fix in TOR.

Commercial anonymizers generally put up an anonymous proxy relay. But the user's request for the relay to fetch a particular Web site could be intercepted. So, some anonymizers encrypt the request. Those are subject to hackers, internal traitors, and legal attacks. The TOR system uses three proxies. (Roger says since the attacks come at the end points, it probably doesn't matter how many beyond three are added.) If one is compromised, you still can't connect person A and B. If two are compromised, you can. "We multiplex the circuits because the multiple keys can be pretty slow." [I record this for your enlightenment. Means nothing to me.] TOR anonymizes only TCP streams. "It needs other applications to clean high-level protocols."

Server operators are given options to limit bandwidth and choose which ports to connect.

How do you know that a TOR server isn't compromised, phishing for pigeons? [That mixed metaphor is mine, not Roger's.] A directory enables servers to vouch for other servers. [Sorry, I didn't understand that, so I may be misrepresenting it.]

He explains how TOR can provide bidirectional anonymity.

There are about 450 TOR servers and about 200,000 people using TOR in a week. "We push 50MB/second of traffic."

Problem: "Abusive users get the whole network blocked." Slashdot and Wikipedia block all postings from TOR. Wikipedia wants to be able to ban abusers' IP addresses, but TOR IPs are too easy to get. "We make it easy to identify if you're coming from the TOR network." They do this on purpose so sites can choose what they want. That means that China, for example, can block the entire TOR network; all it has to do is grab the public list of TOR servers and black them all. To get around this, TOR could have more exit nodes, i.e., last hops from the TOR network that are not recognizable as TOR servers. Roger suggests TOR clients could have a "Help China" button that allows users to forward a small amount of traffic so there would be hundreds of thousands of IP addresses, not 450 TOR servers that are easy to identify and block. He discusses an approach that requires having a trusted social network that grants access to the network.

Next steps: "We want to work on usability." None of the TOR developers use Windows. Also, incentives: "I really want to do a tit for tat scheme where you don't get good service unless you handle some traffic."

Roger mentions that there's a list of open research questions on the TOR site.

Who are the people who need this, to make it clear that anonymity is good? It can't be dissidents at this point because, (Ethan says), "It's a good way to get them arrested."

Q: What's the latency of using the system?
A: It depends. But a lot. "If you're used to university bandwidth, you'll notice a huge hit."

Q: Do you throttle people doing video downloads?
A: No. That's an arms race I don't want to get into. We ask you not to do huge transfers over TOR. And TOR isn't very good at that. In some sense, it's self-correcting.

Q: How are you going to encourage more servers?
A: We have a sign-up on our home page. More important, we're working on an incentive system.

Q: Do ISPs let people run TOR servers?
A: Many do. By the way, it's a safe harbor under the DMCA because you're just passing the bits through.

Q: Some policy makers think we need an accountable network in which we can tie bits back to particular humans. How is TOR going to play in this?
A: Many machines on the Internet are not their "owners" — they do not represent who they claim to. That's a problem for an accountable network. E.g., Windows 98 is highly vulnerable. Phishing isn't going away. Roger cites a study that showed that if you add personal info to a phishing attempt — info found by googling — the response rate goes from 15% to 85%.

Q: What will it take for this to move beyond geeky early adopters?
A: There are millions people who'd like to use it, if we can make it easy enough, get it to work well on Windows, get the documentation right...etc.

Q: How can you solve the problem of the lone TOR user in the Sudan?
A: We would need to make it impossible to know that you're using TOR. You need a way for the data you publish to be unlinkable with you, and defending against that depends on the nature of the attack. There's also the ability to link up without giving yourself away by someone watching the timing of posts.

A: More users in Sudan would help. Without that, you should go to an Internet site, send a msg to a friend in a safe environment, and ask her to post it for you.