Tor: A JAP Replacement

brian-slashdotnews at hyperreal.org brian-slashdotnews at hyperreal.org
Thu Aug 5 21:26:04 PDT 2004 

Link: http://slashdot.org/article.pl?sid=04/08/05/2352235
Posted by: CowboyNeal, on 2004-08-06 01:14:00

   from the trust-no-one dept.
   [1]kid_wonder writes "Wired is running an article [2]describing an
   answer to this [3]previous /. story. Packets are sent through a
   network of randomly selected servers each of which knows only its
   predecessor and successor. Packets are unwrapped by a symmetric
   encryption key at each server that peels off one layer and reveals
   instructions for the next downstream node. As a 'connection-based
   low-latency anonymous communication system,' [4]Tor seems to be the
   answer to [5]JAP to allow anonymous networking activities of all
   kinds."

References

   1. http://.moc.nielk-ttocs..ta..nielks/
   2. http://www.wired.com/news/print/0,1294,64464,00.html
   3. file://ask.slashdot.org/article.pl?sid=03/09/18/0051216&tid=158
   4. http://www.freehaven.net/tor/
   5. http://anon.inf.tu-dresden.de/index_en.html/

----- End forwarded message -----

Onion Routing Averts Prying Eyes
By Ann Harrison

Story location: http://www.wired.com/news/privacy/0,1848,64464,00.html

02:00 AM Aug. 05, 2004 PT

Computer programmers are modifying a communications system, originally
developed by the U.S. Naval Research Lab, to help Internet users surf the Web
anonymously and shield their online activities from corporate or government
eyes.

The system is based on a concept called onion routing. It works like this:
Messages, or packets of information, are sent through a distributed network
of randomly selected servers, or nodes, each of which knows only its
predecessor and successor. Messages flowing through this network are
unwrapped by a symmetric encryption key at each server that peels off one
layer and reveals instructions for the next downstream node.

In contrast, messages traveling across the Internet are generally not
encrypted, and the path of a message can be seen easily, linking users to
activities like website visits.

The Navy is financing the development of a second-generation onion-routing
system called Tor, which addresses many of the flaws in the original design
and makes it easier to use. The Tor client behaves like a SOCKS proxy (a
common protocol for developing secure communication services), allowing
applications like Mozilla, SSH and FTP clients to talk directly to Tor and
route data streams through a network of onion routers, without long delays.

Onion routing does not guarantee perfect anonymity. But it helps protect
users from eavesdroppers who aren't watching both the initiator and recipient
of the message at the time of the transaction. Developers say Tor can be used
to prevent websites from tracking their users; block governments from
collecting lists of website visitors; protect whistleblowers; and circumvent
local censorship by employers, ISPs or schools that restrict access to
certain online services.

The Navy is financing Tor because it wants to hide the identity of government
employees who have long used anonymous communications systems for
intelligence gathering and politically sensitive negotiations.

"The point of the Tor system is to spread the traffic over multiple points of
control so that no one person or company has the ability to link people,"
said programmer Roger Dingledine. Dingledine and Nick Mathewson, both based
in Boston, are building Tor as a research platform with a worldwide community
of open-source software developers.

Their goal is to blend together a wide range of users and avoid the weakness
of many anonymizing services that are located on a handful of machines and
vulnerable to a single point of failure.

Companies could also use Tor for discreet competitive research, said
Dingledine, or to route their employees' Web browsing so employment sites
like Monster can't determine which of them are trolling for a job. "Plenty of
people don't want their source IP listed in Web logs, especially .mil or .gov
visitors," said Dingledine.

The security of the Tor service is proportional to the number of nodes in the
system. Tor is slowly scaling and looking for tens of thousands of
participants who can provide enough nodes to prevent the service from being
compromised by what the project website describes as "curious telcos and
brute-force attacks."

"The current Tor version very effectively builds on 20 years of development
in anonymous designs," said cryptographer David Chaum, whose 1981 paper on
untraceable e-mail, return addresses and digital pseudonyms set the
groundwork for the Tor service.

Tor is distributed as free software under the commonly used 3-clause BSD
license. About 1,000 users (it's an anonymous network, so developers aren't
exactly sure) are running the service in client or server mode.

The Tor network currently includes 35 servers that forward each data stream
at least three times. Each server averages 10 Kbps of bandwidth. Those with
reliable Internet connections, who can support at least 1 Mbps in both
directions, are being recruited as potential servers in the network.

Users are permitted to operate an unrestricted number of nodes. But
Dingledine pointed out that a well-funded adversary could sign up for a large
number of servers and potentially take over the network.

Those who want to operate Tor routers must therefore convince the Tor
directory server operators that they are trustworthy and reliable. Dingledine
said developers are trying to find ways to scale the system without having to
have a human check the integrity of every new server that becomes part of the
network.

Dingeldine said the developers of another online anonymity project, called
JAP, were forced by the German government to insert a backdoor into the
program and were barred from revealing it. If anyone insisted on similar
measures for Tor, Dingledine said the community of open-source developers who
analyze source-code changes for each Tor revision would expose it -- as they
did with JAP.

"The reason Tor works is that it's free and available software," said
Dingledine. "If it was a closed source or a proprietary system, there is no
way to know."

--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]

More information about the cypherpunks-legacy mailing list