Penggantian Desain yang Tidak (Belum) Kami Lakukan

Requiring every Tor user to be a relay would help with scaling the network to handle all our users, and running a Tor relay may help your anonymity. However, many Tor users cannot be good relays — for example, some Tor clients operate from behind restrictive firewalls, connect via modem, or otherwise aren't in a position where they can relay traffic. Providing service to these clients is a critical part of providing effective anonymity for everyone, since many Tor users are subject to these or similar constraints and including these clients increases the size of the anonymity set.

That said, we do want to encourage Tor users to run relays, so what we really want to do is simplify the process of setting up and maintaining a relay. We've made a lot of progress with easy configuration in the past few years: Tor is good at automatically detecting whether it's reachable and how much bandwidth it can offer.

There are four steps we need to address before we can do this though:

  • First, we still need to get better at automatically estimating the right amount of bandwidth to allow. It might be that switching to UDP transport is the simplest answer here — which alas is not a very simple answer at all.

  • Second, we need to work on scalability, both of the network (how to stop requiring that all Tor relays be able to connect to all Tor relays) and of the directory (how to stop requiring that all Tor users know about all Tor relays). Perubahan seperti ini dapat menyebabkan dampak besar pada potensi dan anonimitas yang sebenarnya. Lihat Bagian 5 dari halaman Tantangan untuk detailnya. Sekali lagi, transportasi UDP akan membantu di sini.

  • Ketiga, kita perlu lebih memahami risiko dari membiarkan penyerang mengirim lalu lintas melalui relai Anda ketika Anda juga memulai lalu lintas anonim Anda sendiri. Tiga different research dokumen menjelaskan cara untuk mengidentifikasi relai di sirkuit dengan menjalankan lalu lintas melalui kandidat relai dan mencari penurunan lalu lintas saat sirkuit aktif. Serangan penyumbatan ini tidak terlalu menakutkan dalam konteks Tor selama relai juga tidak pernah menjadi klien. But if we're trying to encourage more clients to turn on relay functionality too (whether as bridge relays or as normal relays), then we need to understand this threat better and learn how to mitigate it.

  • Fourth, we might need some sort of incentive scheme to encourage people to relay traffic for others, and/or to become exit nodes. Berikut adalah pemikiran kami saat ini tentang insentif Tor.

Mohon bantu semua ini!

It would be nice to let relay operators say things like reject in their exit policies, rather than requiring them to learn all the IP address space that could be covered by the site (and then also blocking other sites at those IP addresses).

There are two problems, though. First, users could still get around these blocks. For example, they could request the IP address rather than the hostname when they exit from the Tor network. This means operators would still need to learn all the IP addresses for the destinations in question.

The second problem is that it would allow remote attackers to censor arbitrary sites. For example, if a Tor operator blocks, and then some attacker poisons the Tor relay's DNS or otherwise changes that hostname to resolve to the IP address for a major news site, then suddenly that Tor relay is blocking the news site.

No, you cannot trust the network to pick the path. Malicious relays could route you through their colluding friends. This would give an adversary the ability to watch all of your traffic end to end.

Ini akan berguna untuk beberapa alasan: Itu akan membuat Tor lebih mampu menangani protokol baru seperti VoIP. It could solve the whole need to socksify applications. Keluar dari relai juga tidak perlu mengalokasikan banyak berkas deskriptor untuk semua koneksi keluar.

We're heading in this direction. Some of the hard problems are:

  1. Paket IP menyingkap karakteristik OS. We would still need to do IP-level packet normalization, to stop things like TCP fingerprinting attacks. Given the diversity and complexity of TCP stacks, along with device fingerprinting attacks, it looks like our best bet is shipping our own user-space TCP stack.

  2. Application-level streams still need scrubbing. We will still need user-side applications like Torbutton. So it won't become just a matter of capturing packets and anonymizing them at the IP layer.

  3. Protokol tertentu akan tetap membocorkan informasi. For example, we must rewrite DNS requests so they are delivered to an unlinkable DNS server rather than the DNS server at a user's ISP; thus, we must understand the protocols we are transporting.

  4. DTLS (datagram TLS) basically has no users, and IPsec sure is big. Once we've picked a transport mechanism, we need to design a new end-to-end Tor protocol for avoiding tagging attacks and other potential anonymity and integrity issues now that we allow drops, resends, et cetera.

  5. Exit policies for arbitrary IP packets mean building a secure Intrusion Detection System (IDS). Our node operators tell us that exit policies are one of the main reasons they're willing to run Tor. Adding an IDS to handle exit policies would increase the security complexity of Tor, and would likely not work anyway, as evidenced by the entire field of IDS and counter-IDS papers. Many potential abuse issues are resolved by the fact that Tor only transports valid TCP streams (as opposed to arbitrary IP including malformed packets and IP floods.) Exit policies become even more important as we become able to transport IP packets. We also need to compactly describe exit policies in the Tor directory, so clients can predict which nodes will allow their packets to exit. Clients also need to predict all the packets they will want to send in a session before picking their exit node!

  6. The Tor-internal name spaces would need to be redesigned. We support onion service ".onion" addresses by intercepting the addresses when they are passed to the Tor client. Doing so at the IP level will require a more complex interface between Tor and the local DNS resolver.