crowds: anonymity for web transactions michael reiter and avi rubin 1998
TRANSCRIPT
Crowds: Anonymity for Web Transactions
Michael Reiter and Avi Rubin
1998
Privacy Online
• Supreme Court Justice Louis Brandeis defined privacy as "the right to be let alone", which he said was one of the rights most cherished by Americans.
• The Internet represents previously inconceivable opportunities to monitor your actions and personal information!
• Just imagine the McCarthy hearings now.
Strong Privacy Online
• NSA, FBI, etc.
• Consumer databases, Axciom, and Hackers
• What about *Bad Guys*?Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.
- Bruce Schneier
• Good Guys: CIA, Undercover Cops, Biz., etc.
Opportunities for Exploitation
• Your computer’s IP address uniquely identifies you across web sites.
• Nothing illegal about cross-referencing.
www.genetic-diseases.com
www.insurance-online.com
Conclusions: Free Exchange
• The Internet’s benefit increases directly with– the number of resources online– the privacy people having in obtaining it– The privacy people have in serving it
• Anonymity is a promising technology for providing user privacy.
Why Anonymity?
• Today, only 20% of web sites meet the FTC’s fair information practices.
• Anonymity is a technical means to privacy– Without cooperation of the receiver.
• Legitimate social uses on the Net– Allow for safe “whistle blowing”– Privacy in medical issues or psychological counseling
– Web surfing privacy– Web serving privacy
Anonymous Routing
• Anonymity is the state of being indistinguishable from other members of some group.
• Our goal is to provide mechanism for routing that hides initiator’s IP address
• Not trying to protect content of message.– Can use end-to-end encryption for that.
• That said...– Does not protect higher-level protocols/data.– Doesn’t make sense to send “I’m Matt and my SSN is ...”
anonymously.
• Anonymizer.com• Lucent personalized web assistant. • You must trust the proxy! In fact, now they are in a
position to monitor everything you do.• Anon.penet.fi and the Church of Scientology
Single Proxy
I
R
P
• Key Contributions?
Crowds
Crowds
• Decentralized P2P solution• Anonymous within the Crowd• Jondo (John Doe)
– Proxy– User
• Path based
Path-based Initiator Anonymity
R
X
Y
Z
I
Packets are passed from the initiator, I, to the proxies which then deliver the packet to the responder R.
Crowds Paths
R
X
Y
Z
I
• Weighted Coin Flip• Spinner
Does it work?
• Threat models:– Responder (end server): Beyond Suspicion!– Local eavesdropper– Malicious (collaborating) Jondos
• Types of attacks:– Timing attacks– Passive logging– Traceback
Degree of Anonymity
• Not a Boolean question!– Rarely undetectable– Difficult to prove ID unless signed
• Range:
Absolute
Privacy
Beyond Suspicio
n
Probable
Innocence
Possible Innocen
ce
Exposed
Provably
Exposed
Eavesdropping
• Messages are encrypted between jondos– Otherwise complete exposure
• Information available– Message timing– Initiator?– Messages to responders (but path length > 0 proxies)
R1A
B
Jondo
Malicious Jondos
• Giving information– Your IP address is seen by the next
node in the path
– Being on the path means you might be the initiator
• Many attackers– Ratio of attackers (c) to total (n) is
important
– So is weight of the coin flip (pf)
• Innocent?– If pf = 3/4 and n 3(c+1), probable
innocence
– Higher pf implies greater resilience
to attackers
I
3
4
51
2
R
Performance
• Path length– A function of pf : larger = longer paths
• Latency– note: all local nodes, no error info.– note 2: older machines; encryption is more
expensive– latency of up to 13.5 seconds! (8.6 for 1-hop)– No 0-hop tests
Scalability
• How many paths will node X be on?
– Spse. ave. path length is l– n nodes, so n l positions on the path
– chance of picking node X = 1/n
– thus, expectation of l times on a path
• Independent of n
End of Crowds
Strengths
• Performance & Scaling
• Security against weak attackers– single operators generally fail
• ISP, web site, your neighborhood eavesdropper, one person with a few jondos
• Parameter to trade off security/performance
Usability Weaknesses
• Must disable Java & ActiveX• More generally, a good proxy required
– clean all traces– could be bypassed?
• Group membership– keeping a full list may be hard/expensive– centralizing it provides a way to attack– (intersection attack)
• Delay in joining• Group size
– required to have either small or large groups
• Network delays
Security Weaknesses
• Problem– strong eavesdroppers exist– Sybil attacks (many bad peers)– Combined attacks possible (e.g. local
eavesdropper + responder)
• Collaborating members– increasing bad peers guarantees compromise– growing threat over time
• DOS + Sybil attack– always changing non-sending members
Security Weaknesses
• Possible eavesdrop– When many peers use the same ISP (cable
modem, DSL), a full path may be controlled by the ISP.
• Exposure of information– a path of nodes that sees all– info. can allow attackers to guess at initiators– can change web requests