[messaging] Tor Hidden Services in (Cables, SMTorP, Pond)

Trevor Perrin trevp at trevp.net
Tue Jun 24 23:49:52 PDT 2014


Hi Bjarni,

On Sun, Jun 22, 2014 at 2:18 AM, Bjarni Runar Einarsson
<bre at pagekite.net> wrote:
>
> Peoples' expectations from e-mail are indeed very low today. The user
> experience of e-mail is badly broken today and relays doing surprising
> things (in the name of security or spam protection) are the main reason
> why.

Dunno about that, I thought most people's experience with email was pretty good.


> Regarding relay servers vs. direct p2p, and protection of the social
> graph: I think the idea that monitoring the entire Tor network is
> somehow easier than compromising a few relay servers and simply
> watching the logs, to be patently ludicrous. :-)

You're overstating the attacker effort for "traffic confirmation" /
"end-to-end correlation".  The attacker doesn't monitor the entire Tor
network, they just have to monitor the traffic between you and Tor,
and between one of your correspondents and Tor.  For example if you
exchange SMTorP mail with someone using the same ISP, your ISP could
see this.

It's worse if one party is a server with intermittent uptime, like
SMTorP on a laptop.  The attacker can monitor one party's traffic and
see when they are polling for a recipient to come online, then
correlate that with recipient uptimes.

You're also overstating what compromising a relay and "watching the
logs" gets you.  If senders are contacting relays over Tor and
encrypting metadata, then compromising the relay doesn't reveal
relationships.  The attacker would still have to break Tor to discover
the sender.  So relays aren't an alternative to Tor, they can be
additive (e.g. Pond).


> Regarding case for/against send vs. receive relays in SMTorP
[...]
> Since SMTorP addresses are just something at foo.onion, if you use a
> receive relay then the relay operator owns your e-mail address, making
> him a middle man you cannot get rid of

As Brian points out, that's not strictly true.  With SMTP, the domain
owner can change the MX to a different relay.  I don't know if you can
use a public key to redirect to a hidden service in Tor's DHT, but in
principle it's possible.

(BitTorrent has also talked about using pubkeys as identities, and a
DHT for user lookup, it will be interesting to see what they come up
with:

http://engineering.bittorrent.com/2013/12/19/update-on-bittorrent-chat/
http://blog.bittorrent.com/2014/06/11/bittorrent-chat-the-want-for-privacy/
)

Trevor


More information about the Messaging mailing list