Schneier on Security
A blog covering security and security technology.
« Cryptanalyst on British Postage Stamps |
| xkcd on a Bad Threat Model »
April 26, 2013
Tor Needs Bridges
The Internet anonymity service Tor needs people who are willing to run bridges. It's a goodness for the world; do it if you can.
Posted on April 26, 2013 at 7:19 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Tor Cloud (which now supports obfs3) in particular is very easy to set up. Make an Elastic IP, set security group up, make a Tor Bridge micro instance, associate them, let Tor get on with it. You can of course SSH in and configure it more deeply if you want.
Not terribly clear which Amazon regions are the best to pick but I guess any and all help out. Best of all, if it's a new Amazon account, it's very cheap to run two bridges for a year due to the free tier.
Bruce, explain something to me: given their obsession with having access to everything why would the US intelligence services allow ToR to exist if they couldn't hack it?
Here's my theory: ToR is not possible for other countries' agencies to hack (obviously I don't know why because I don't know how the USG is doing it) which makes it a great tool for US-aligned groups in other countries aiming to overthrow governments. At the same time, it is not a threat because the USG can get in.
I simply don't believe it's plausible that ToR is safe against the DoD that developed it, that seems to go against everything we know about the last two decades.
Of course, once you start asking this question you have to ask about Jacob Appelbaum...but then it starts getting to creepy even for me.
@JeffH: doesn't it defy the point of Tor to have many bridges hosted by the same provider (Amazon, in this case)? Consider that Amazon has easy access to the disk, memory contents and network traffic of everything on EC2.
I ran a tor relay on my personal web server for a while, but I could never tell if it was actually doing anything or not. All of the directions I found online were about running a local node on your laptop. So I finally gave up and uninstalled it. If they want adoption, they need to make it very easy to administer and monitor.
That said, you've inspired me to give it another shot.
It may be good for the world, but I'm sure governments will find ways to punish you for contributing to it, because it reduces their control. I seem to recall reading something a while back about someone being prosecuted for something to do with child pornography that turned out to be related to traffic on his Tor relay.
@Craig - this is why I've never started one. Are there adequate defenses against being prosecuted for traffic across your link? I live in Texas, so I'm not thinking my local courts are gonna really care about service provider/consumer boundaries very much.
@Airforceteacher: To me, the issue is not whether there are "adequate defenses" (as in, you won't be convicted and sent to prison) but how much it will cost to defend yourself against clueless and/or malicious prosecution.
You don't have to run exit nodes. Those are much more dangerous to run and are not something you really want to run from your home. If you are just relaying traffic between tor nodes you aren't likely to get in trouble since that traffic is all encrypted and isn't going to anyone who is likely to complain.
^Right. It seems that some of you are a bit confused here. A Tor bridge is not the same thing as a Tor node, let alone a Tor exit node. A Tor bridge allows people to access the Tor network in regions where direct access has been blocked. Just read the linked article or go to torproject.org for the details.
@mas90: "doesn't it defy the point of Tor to have many bridges hosted by the same provider"
Bridges are special TOR nodes that serve as entry points for users that cannot reach the TOR network by normal means.
Bridges commonly do not form entire circuits, they are only the first hop.
@Alan Porter: "I could never tell if [my TOR relay] was actually doing anything or not"
You should notice a difference in your monthly traffic statistics... ;-)
torservers.net has a wiki to tell you exactly how to set up a bridge and stats to see its usage. go through their wiki
@mas90 Amazon does not have access to the disk or memory contents of client systems. They could, of course, sniff network traffic but that is of limited value in this case.
@mas90: The reason why it's ok to run bridges specifically in Amazon is that bridges are only ever entry points. TOR Cloud has the aim of providing easy ways to add more & harder to block entry points into the TOR network - a shotgun effect. It's literally a few steps to configure & then it's running, and it's not in your home.
To answer your underlying question, TOR can't protect against a global adversary that can observe all Internet traffic, because then you can correlate input into TOR with output from TOR and effectively circumvent it.
By comparison, if for example China can only effectively monitor the traffic across the Great Firewall, and TOR routes to an exit node in the United States that they can't observe, then there is no way to trace an statement sent from that exit node to a Chinese citizen.
It goes without saying that if one wishes to avoid traffic sniffing before or in TOR that one runs some suitable end-to-end encryption. (It is notable that TOR itself has never guaranteed privacy, only anonymity between source & destination - any TOR node could in theory snoop traffic). The new game played by censors is spotting encrypted traffic to TOR relays and automatically blocking it. This in of itself suggests that TOR works for at least a subset of cases, because they'd not need to try & block it if they could monitor it.
The reason bridges specifically are of interest is that normal TOR relays are fairly open about being a TOR relay, and state censors can easily probe & block them. Obfuscated bridges attempt to circumvent this both by being hard to track down (there is no full list of bridges) and the traffic itself is obfuscated so as to not appear to be TOR traffic. This makes it much harder for observers to block automatically.
Obfs3 is the new protocol in the obfuscation arms race as obfs2 has (I believe) been blocked in China, and the majority of bridges are not yet running it. This is another reason for the 'call to arms' in adding more updated bridges.
@Airforceteacher: You are confusing bridges & pure relays with exit relays. You can run bridges or pure relays without likelihood of interference because they only route traffic to & from sources or other nodes in the TOR network. It's the exit relays that come under fire as they appear to be the source of malicious traffic as far as the victim is concerned.
There's a data center willing to colocate Raspberry Pis for free (the colocation is free, you pay for the Pi). It's only 500 GB/mo but it may help depending on how much TOR traffic there is out there.
The torproject web site shows no plea for bridges in either blog or FAQ. For quite some time, the FAQ has been suggesting that relays are more valuable than bridges. I'd like to see something other than an arsTechnica article based on "a message to the Tor relays mailing list."
@Dean I would have thought it's self-evident that Tor needs both. Bridges are pointless without relays, relays are blocked without bridges. Thing is, relays are more expensive to run.
According to the traffic analysis done in the Tor project, a relay needs to shift at least 30KB/s up & down 24/7 to be of benefit to the network, and preferably more. It states that anyone running less should run as a bridge. Most home ADSL just can't achieve a decent speed reliably in both directions, and should run bridges if they are going to run anything.
So sure, relays are more valuable, but not everyone can afford to run them, and relays are useless without bridges unless you're already in the convenient position of having unrestricted Internet access.
I disagree that one can reliably say it's a "goodness for the world."
Like everybody else, I have a moral responsibility for what I do. By participating in Tor, I would assist people in concealing their identity and actions. If I knew that I were helping only victims of repressive regimes, I might do it. However, I might just as easily be assisting the regimes themselves. By definition, there is no way to know whom you're supporting-- missionary or terrorist. Unlike an ISP, which can claim amoral (not the same as immoral) "mere conduit" status, and profit objective, if I choose to be a conduit, I am personally responsible for the help or harm caused by my participation. This hazard has made me wary of Tor for years, and I would like to hear others' discussion of it. Please also point out any technical errors I have made.
The ISP has a financial interest in "choosing" to be a conduit. Their customers might not be the self-selecting few whose activities depend on anonymity, but can they really claim to be amoral either? (Particularly when they can either block/throttle BitTorrent, or support network neutrality and indirectly profit from piracy - either way, there's decisions and moral implications.)
To date, missionaries have done and continue to do more damage than terrorists, and there are many more of the former.
You must explain why a corporation offering to conduit for fee and profit has no moral obligation, and why an individual offering to conduit as a public service has personal responsibility.
You seem to be saying that a tor relayer, who cannot examine the message and usually cannot identify either source or destination, is nevertheless responsible; whilst a corporation may feign ignorance, as long as they make a profit. What if a corporation can increase its profits by betraying its customers?
I'm currently running an ADSL connection. In the next year I will be upgrading to a fiber-based Internet connection. When that happens I will be opening up a Freenet node, a Tor exit node, and a public Wi-Fi exit point. All of this will be done as a public service to make it easier for people to communicate. It costs me next-to-nothing to do this. It can greatly benefit others.
Surely you could say that contributing to TOR is not unambiguously 'good', but that's true for pretty much everything in this world.
You have to decide for yourself whether the chance of helping 'bad' people (or harming 'good' people) offsets the chance of helping 'good' people.
In the concrete case of TOR, I would not think that 'bad' people would need your help as much as the 'good' people do (the assumption is that 'bad' people, be they governments or criminals, have other ways of getting anonymous internet access that are out of reach for 'good' people).
No love for I2P? All nodes are relays by default. Install and run it and you're done. No risk of getting blamed for anything, it doesn't even officially support exit nodes (outproxies are still possible, but has to be manually configured on both ends).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.