Tor Four Hops Instead of Three

by: ColdwaterQ on September 11 2013

As it turns out, using some simple statistics, any person controlling the first and last node in a chain can correlate the two, no matter how many nodes are in between the two. As such this article is pointless and inaccurate in a few ways, I will leave it up though in case someone else has the same thoughts.

At DefCon this year there was a talk Safety of the tor Network: A Look at network Diversity, Relay Operators, and Malicious Relays by Runa A. Sandvik. In this talk, among other things, it was mentioned that tor uses three hops, commonly known but it was new to me, and that there are considerably more people running relays, not exit nodes. This is understandable because exit nodes are potentially problematic and entry nodes require the relay to have been running for a long time.

Since only a few entry nodes are used by a user and exit nodes are considerably fewer than standard nodes it is potentially possible for a malicious party, like a government, to control the entry and exit node used by a user. If they do control the entry and exit node used by a user, that user loses anonymity. This is because of the three hops. Basically the original IP is known because the entry node receives the packets. Then the entry node knows the IP of the second node, and the exit node knows the IP of the node that sent the data to it (the second node), if the IP of the second node is the same, and the data is received in the same time frame, it is probably the same packet. Finally the exit node knows what is sent and where it is sent to. So the source, destination, and data are all known by the spies.

This can be fixed by simply using four nodes though. This is because the relays that pass packets within the network are much more plentiful, and as such harder to control a sufficient number to reliably deteriorate anonymity. For example, even with the entry and exit node controlled, the entry knows the IP of the second node, and the exit knows the IP of the third node. Controlling the second or third node is more difficult than the entry or exit node, increasing anonymity significantly, much more than adding any subsequent nodes beyond four would.

Obviously adding more nodes is stronger, but the more nodes that are added the slower the connection will be, however I believe that the increase in anonymity is sufficiently greater than the loss in speed when increasing from three nodes to four.

As my blog states, these are just my ideas, if I am incorrect or you have concerns, leave a comment, and I will do my best to update this post to adequately reflect them.