Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I mentioned in my previous post (http://jwsecure.com/dan/2007/11/learning_about_tor.html) that I’ve been digging into Tor these days, and that I have a concern about control of the directory servers.  Wanted to add a bit to that.

The purpose of a Tor directory server is to advertise the list of available and trusted onion routers, that is, the nodes via which clients may build circuits for traffic.  There could be disagreement between the directory servers on the contents of that list, due for example to network latency or outage, or perhaps due to operator disagreement (more on that later).  Tor clients handle such disagreement via a threshold scheme. 

But there’s an interesting side note regarding thresholding.  See this Tor paper (http://www.torproject.org/svn/trunk/doc/design-paper/tor-design.pdf), which I referenced in the earlier post.  As the paper observes (see page 13, left column), directory operators must agree (although actually only to a certain extent – the wording of that section is confusing) on the list of directories to be published.  Now see the top of the right column, page 10:  the number of directory servers is currently three and may grow to nine.  Thus, to obtain a majority among the total number of deployed directory servers today requires only two operators!  Remember that those operators, in turn, decide which ORs to include in the network. 

How can the network as a whole be deemed trustworthy by a broad cross-section of users if it’s controlled by so few? 

Ok. Now look at that question another way.  Indeed, an anonymizing network is most useful if it includes as many nodes as possible.  I’d want the network, once it’s attained critical mass, to be robust against collusion among a coalition of private entities and/or governments. 

To that end, suppose a modified network is proposed in which there are many more directory servers, sprinkled around the globe.  Assume each directory server operator has his or her own agenda, reflecting local biases, and may be under either private or government control.  Assuming the Tor threshold requirement still applies, will a majority of directory operators be able to agree amongst themselves who to include? 

This is the piece I find most interesting.  On one hand, there are certain characteristics of an anonymous network that seem to be requirements for keeping it anonymous.  Absence of unilateral control comes to mind.  On the other hand, for a project like Tor, some single group must facilitate and be "in charge".  Otherwise, it’s impractical to even establish what the candidate list of directory servers is, among other things.  (Although, the former could perhaps get partially solved by some sort of "primary" election by the networks users.  But the users still must be able to trust the election and its results.)

At the surface, this problem strikes me as similar to that of deciding who controls the top-level internet DNS servers (interesting introduction to that issue is here - http://www.slate.com/id/2131182/).  But there are some fundamental differences.  For one thing, the whole point of an anonymizing network is anonymity – obvious, right?  Well, in contrast, the whole point of the internet is availability.  From the perspective of the private sector, as long as the majority of people who make money on the internet can continue to do so, I don’t think they really care who controls it. 

It seems to me that controlling entities are more likely to muck with the anonymity of a (theoretically) anonymous network than they are with the basic mechanisms – i.e. those that allow it to support reliable commerce – of the internet.  Why?  Well, for one thing, loss of anonymity is likely to be harder to detect.  For another, anonymous networks are still sufficiently fringe as to be outside of common public awareness.  Thus, compromise is unlikely to be met with much outrage until the user base increases.

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment