Towards Flexible Anonymous Networks
Anonymous Communication designs such as Tor build their security upon distributing the trust in many volunteers running relays in many locations globally. These volunteers run the Tor code upon various operating systems, each potentially having different software packaging policies. In practice, it leads to a heterogeneous network in which many versions of the same Tor software exist, with a different set of protocol features. Because of the heterogeneous aspect of the network, the maintainers had to come up with forward-compatible protocol design strategies. Their role is to guarantee that different versions of the Tor software interact without unrecoverable errors. In this work, we cast the protocol tolerance enabled with forward-compatible protocol considerations as a double-edged sword. Despite being beneficial for the developers, we argue that protocol tolerance is the systemic cause behind many strong attacks against Tor in the past fifteen years. To address this issue, we propose FAN for Flexible Anonymous Network, a new software architecture for volunteer-based distributed networks that shifts the dependence away from protocol tolerance without losing the ability for the developers to ensure the continuous evolution of their software. We realize an implementation, evaluate the overheads and, experiment with several of FAN's benefits to defend against a severe attack still applicable to Tor today.
READ FULL TEXT