Jump to: navigation, search

Template:Persistent Tor Entry Guards Introduction

What are Tor Entry Guards? If you do not know that yet, please press on expand on the right side.

Tor (like all current practical low-latency anonymity designs) fails when the attacker can see both ends of the communications channel. For example, suppose the attacker controls or watches the Tor relay you choose to enter the network, and also controls or watches the website you visit. In this case, the research community knows no practical low-latency design that can reliably stop the attacker from correlating volume and timing information on the two sides. </p>

So, what should we do? Suppose the attacker controls, or can observe, C relays. Suppose there are N relays total. If you select new entry and exit relays each time you use the network, the attacker will be able to correlate all traffic you send with probability around (c/n)2. But profiling is, for most users, as bad as being traced all the time: they want to do something often without an attacker noticing, and the attacker noticing once is as bad as the attacker noticing more often. Thus, choosing many random entries and exits gives the user no chance of escaping profiling by this kind of attacker.

The solution is "entry guards": each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop. If those relays are not controlled or observed, the attacker can't win, ever, and the user is secure. If those relays are observed or controlled by the attacker, the attacker sees a larger fraction of the user's traffic — but still the user is no more profiled than before. Thus, the user has some chance (on the order of (n-c)/n) of avoiding profiling, whereas she had none before.

You can read more at An Analysis of the Degradation of Anonymous Protocols, Defending Anonymous Communication Against Passive Logging Attacks, and especially Locating Hidden Servers.

Restricting your entry nodes may also help against attackers who want to run a few Tor nodes and easily enumerate all of the Tor user IP addresses. (Even though they can't learn what destinations the users are talking to, they still might be able to do bad things with just a list of users.) However, that feature won't really become useful until we move to a "directory guard" design as well.

Source and License, see footnote: [1]

Persistent Tor entry guards as used by Tor, Whonix, Tor Browser Bundle (TBB) and others are beneficial for security, however in some situations it is safer to not use your usual guard relay.

The guard relays picked by your Tor client can make your Tor use fingerprintable across different physical locations and access points, potentially deanonymizing you in some corner cases such as the one described below. This attack is less severe that now upstream (The Tor Project) has moved from using three relays to a single one.

Consider this scenario: You run Tor from home. Then there is some prominent event or protest in your city that you attend and anonymously blog about it from there. The fact that your client is using the same entry guard from this other location gives network adversaries a high certainty that the anonymous posts came from the same person that was connected to that specific guard relay from their home. The relative uncommonness of Tor usage already exasperates the problem even more.

This is similar to tracking users by MAC addresses, so if this matters to you, you should keep care of that also.

Forum discussion:

  1. source:
    torproject.org What are Entry Guards? (w)
    license (w):
    Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License (w). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.