[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Friendly LAN bridge -- bad idea?



> Date: Fri, 08 May 2015 09:23:19 +0200
> From: Lars Luthman <mail@larsluthman.net>
> 
> On Thu, 2015-05-07 at 23:34 +0000, Nathaniel Goodman wrote:
>> Hello,
>> 
>> Around here all devices and usual guests use tor. This of course
>> generates many direct connections to the tor network.
>> 
>> We were wondering if there would be any negative (privacy)
>> implications from running a private bridge inside the LAN to which all
>> the devices around here would then connect instead of making a direct
>> connection to the network.
> 
> I've thought of using a similar setup on local networks - configuring
> the main router to run a private Tor bridge and blocking all other
> traffic. The problem with this is that every normal circuit only gets
> two hops out on the internet - your private bridge is the first hop, and
> then there's a middle hop and an exit on the internet. Also, since the
> private bridge would be the guard node and it is on your local network,
> the first hops out on the internet would change much more frequently
> than if you didn't use the private bridge but connected to guard nodes
> out on the internet. Both of these properties may reduce the anonymity
> of Tor users on your local network.
> 
> These problems would be avoided if
> 
> a) Tor treated all bridges as a 'zeroth hop' and built three-hop
>    circuits _after_ the bridge, with the first hop being chosen
>    using the normal guard selection algorithm, or
> 
> b) There was a special 'local bridge' type which, when used,
>    forced the client to build four-hop circuits with the above
>    properties.
> 
> I don't think there's any way of achieving any of those without
> modifying Tor.

The standard way of achieving this is to have multiple Tor browsers configured to connect via SOCKS to a shared Tor client on the LAN. This client has one set of connections, descriptors and caches, and 1-3 guards. This saves bandwidth and connections.

However, there is a small risk of increased linkability via timing attacks on a shared hidden service cache - one user gets a hidden service faster if another user has recently used it.
See https://trac.torproject.org/projects/tor/ticket/15938

There is also the risk of non-encrypted SOCKS connections being observed on your LAN. However, any unencrypted connections could be observed between the Tor exit and website anyway.

There may be other security implications of a shared Tor client. However, in my understanding, the loss of a guard node with a shared Tor bridge has known serious security implications.

Also, the increase in outgoing connections from a local bridge could very likely make your issue with the number of outgoing connections worse, not better. This depends on the number of Tor users you have - a bridge could make a connection to each of up to 5000 relays - do you have 1000 users using Tor simultaneously?

teor

teor2345 at gmail dot com
pgp 0xABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk