back to article It's time you were T0RTT a lesson: Here's how you could build a better Tor, say boffins

Academics in Germany say they've found a way to make Tor and similar onion networks more efficient and lower their latency. The crew at Ruhr University Bochum, Universität Wuppertal, and Paderborn University described their technique in a paper [PDF] this week accepted into next year's Proceedings on Privacy Enhancing …

  1. Blockchain commentard

    So, the software nerds create a hardware problem. Solution - buy new hardware. Not really a solution is it?

    1. Pascal Monett Silver badge

      Depends on how much you value your privacy.

    2. NorthIowan

      Re: Solution - buy new hardware

      It's the solution that's as old as computing.

  2. David Shaw


    was famously a US navy patented idea...I'm sure that's behind them now

    the political prisoner Assange became famous partly after he ran a Tor exit server... probably still an unhealthy thing to do

    and Tor has had a surprising amount of 'bug-doors' for the unwary user (typified by unique traffic staining visible by those who have mastery of the internet)...I'm sure that's all been solved


    1. Anonymous Coward
      Anonymous Coward

      Re: Tor

      "A political prisoner is someone imprisoned because they have opposed or criticized the government responsible for their imprisonment."

      Assange was imprisoned for fleeing the country to avoid the justice system, twice. (Fleeing sweden after being told they wanted to arrest him on suspicion of rape, then fleeing the UK when he realised he was going to have to face a court room where the evidence against him would be presented)

      As for the current extradition request, sympathy is quite a lot lower than it would have been if he hadn't done what he did prior to these charges being brought. It is also less likely that the US would have brought the charges if he hadn't spent the preceding years taunting the US and bragging about being above the law and able to do whatever the fuck he wanted without consequence.

      I would also suggest that you watch one of the presentations (pick one, they said it nearly every time) from the Tor developers describing the architecture and what sorts of attacks it does and does not defend against. Pay particular attention to the attacks it does not defend against part, specifically the one that they stopped mentioning in their presentations after that whole "fuck, now everyone knows about it" thing revolving around just-as-clueless snowy.

      Anyone who thinks that Tor makes your traffic undetectable to people like the 5 eyes because it bounces it between multiple endpoints, all of which are on a massive public list, is clueless as hell. It is a glorified proxy system, it is utterly pointless if your adversary is a major western intelligence agency. Or indeed anyone who has the resources to spend 5 minutes unsupervised with your physical hardware.

      1. David Shaw

        Re: Tor

        it seems that the Tor protocol bug-doors were deliberate traffic staining, presumably by someone on the development team - this was fine as I mostly trust 5EYE, knowing them well, but then the IRANIANS noticed these bugs and people/activists who HAD been led to believe that it was magic, suddenly were detained etc...

        and as for the political prisoner who is arbitrarily detained, not my opinion, but the same UN panel who have criticised the IRANIANS over arbitrarily detained Nazanin-Ratcliffe have made the call, over quite a time period

        I think with several agencies having mastery of the internet, any anomising/cloaking technology will likely have bug-doors, still.

        I can refer to some of my own related papers

        but I respect that other might have a different point of view

        1. Cynic_999

          Re: Tor


          I mostly trust 5EYE, knowing them well, but then the IRANIANS noticed these bugs and people/activists who HAD been led to believe that it was magic, suddenly were detained etc...


          Ask yourself which agency is more likely to target a private citizen and do them harm - their own government or a foreign government? The Iranians used the tracing techniques mainly to target their *own* citizens who were critical of the government. They are not really worried about Western citizens saying the same things from their own country, it is the internal threats they take seriously.

          The same goes for Western countries - you are far more at risk from your own government should you criticise it or spill its secrets than you are from a foreign government. For a start your own government can "get you" far more easily than a foreign government. Your trust in 5EYE is cute but extremely naive.

          You are however safe so long as you do nothing that might make your government (or the high-rollers of your country) feel in any way threatened. But if you do, then while you might not be run over by a bus or suffer an unfortunate attack from a poisonous umbrella (though you might), you could find there are other ways a person can be "neutralised." For example, your PC is found to be full of child-porn or similar obnoxious material, and you are arrested for something that will gain you zero sympathy with others, kill any credibility you may have had, and give you far more to worry about than exposing some dodgy unofficial government policy or dalliance by a member of the Royal family.

    2. Carpet Deal 'em

      Re: Tor

      Tor was almost certainly released to the public under "leaf in a forest" logic. The bugs that help law enforcement aren't necessarily the kind intelligence agencies would like their assets vulnerable to(and said agencies would have the resources to mount actual attacks should they care to, so the bugs are less important to the anyway).

      1. phuzz Silver badge

        Re: Tor

        I think part of the thinking was that TOR would be useful to people in regimes with very locked down and surveilled internet access, eg Iran and China, and that in general, anyone who needed something like TOR in those countries would probably be anti-government, and therefore the enemy of the US's enemy, - a friend. That it's also good publicity, ("look at us helping these people get uncensored internet access!"), probably didn't hurt either.

        Also, the more take up it had, the easier it would be for US agents in those (and other countries) to use TOR to hide their traffic without sticking out like a sore thumb.

        1. Claptrap314 Silver badge

          Re: Tor

          You honestly believe that a serious government would EVER willingly release current tools? "Hey, I've got a great idea! Let's tell the WHOLE WORLD just how we operate. What could go wrong?"

          Just like Google famously opensourced various tools after they moved on, the release of TOR meant that it had outlived it's usefulness for the big boys.

          1. phuzz Silver badge

            Re: Tor

            TOR was never a 'tool' in that sense. Anyone looking for suspicious activity will spot it straight away.

            This isn't something that their spooks would use, it's something they might pass to a source who they didn't much care about.

            Now that it's used more widely, it's possible their spooks might use it as an extra layer of obfuscation.

            1. Claptrap314 Silver badge
  3. Pen-y-gors

    Here's how you could build a better Tor

    Anyone know how you could build a better Tory?

    Or do we scrap the project as a total loss and dump the remnants in the 'failed' bin?

    1. Anonymous Coward
      Anonymous Coward

      Re: Here's how you could build a better Tor

      Frankly, if a repressive government has enough control of the wires and airwaves, they already have you at Layer 1 and there's little one can do against an adversary who controls the Physical Layer.

  4. Brian Miller

    Didn't know that Tor is O(n2)

    No wonder someone is working on a more efficient system. According to their paper, though, the new solution takes more memory and CPU. Maybe with some more work T0RTT can be improved. Would be nice to see their reference implementation.

    1. Michael Wojcik Silver badge

      Re: Didn't know that Tor is O(n2)

      My guess is they're using libforwardsec for the actual PFS scheme implementation (including the puncturable security). Not much reason to reimplement that, at least at this point; libforwardsec was created by Green and Miers, the authors of the original puncturable-security paper. And libforwardsec is presumably the inner loop on T0RTT's circuit-establishment scheme.

      So that would be the place to start, and there's a link to libforwardsec in the article.

      libforwardsec uses third-party components - RELIC, GMP, and Cereal. (G&M warn of possible security issues with them.) GMP is widely used and so I assume there's not a lot of fat left to cut from it, but I don't know about RELIC and Cereal.

      Also, G&M represent libforwardsec as "certainly better than many academic libraries", which I'd expect from Green, but as he'd be the first to say, that's a low bar. They say they haven't done a thorough review of it, and that probably means they haven't tried to optimize it either.

      Of course, optimizing crypto is a dangerous business; you want to avoid introducing side channels and other problems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like