Is the first hop of a circuit able to fake all next hops?

[viric]

I was reading https://github.com/Tribler/tribler/wiki/Anonymous-Downloading-and-Streaming-specifications ... isn't it the case that the hop1 can fake all next hops? It could generate any keypairs of next hops and become a tunnel aware of all communication for that circuit. And noone would notice.

[qstokkink]

Absolutely! However, there is only one situation in which the attacker can do anything with this information. There are a lot of nuances going on here (regarding cryptography and statistics) and I'll try to keep it short (I hope someone corrects me if I omit important info).

The promises of "naked" Tribler anonymous downloading

Before I jump into what we are trying to achieve. Let me discuss what Tribler does when it connects its circuits to the Internet.

Tribler should strip out personally identifiable information from all torrent traffic when anonymously downloading. Simply observing exit traffic should not lead to being able to identify the traffic's source. There should never be any hard evidence that any particular user downloaded any particular torrent.

The circuit extension should not expose the length of a circuit. When you send data over a circuit any following node should only see a fixed-size packet that does not expose the length of the circuit. Therefore, any node (fake or real) should not be able to distinguish which hop it is in the circuit. This means that an attacker does not know wether it is forwarding data to yet another relay or to the origin of the circuit.

Tribler should randomly pick people in the network to create (and extend) circuits with. This comes down to strength in numbers. If an attacker has a very small presence in a network, it will be very unlikely that they can attack any particular user.

Tribler should rotate circuits based on time and their use. Even if some horrible security blunder occurs, every 60 seconds unused circuits are dropped and each circuit is only used up to 250MB or up to 10 minutes. Considering most torrents are used for large files, this usually only exposes a small part of a download.

[If Tribler ever breaks any of these promises, it would constitute a security vulnerability.]

The one attack that will work with "naked" downloading

Suppose an attacker controls every following hop in a circuit. There is still no way for it to know whether the preceding hop is the originating node, unless the attacker knows how long a circuit is going to be beforehand. An attacker may be asked to create a circuit with x hops (for which it may use fake identities) and it may know the origin is trying to create a circuit of x hops. In this case, the attacker knows it controls all hops and that the preceding node is the originating node.

Of course, Tribler still rotates circuits for you. This should keep the damage at least to a minimum.

What we are trying achieve

This attack keeps us up at night and has been leading our lab for years. This is captured in issue #1 and issue #3. To give some quick insight into what we're trying to do to resolve this:

1. (Perfect Darknet Roadmap Ticket #3) Don't connect to the wild Internet at all, using hiddenservices. By using anonymized end-to-end encryption we make sure that torrent data never leaves the encrypted domain. This resolves the previous "naked" downloading attack. However, this requires everyone to use Tribler. Whereas we would like everyone on the Internet to use Tribler, this is unrealistic for torrents at the moment. This is a great primitive to use for Tribler-Tribler communication though (and we do so to protect Self-Sovereign Identity interactions, for example).

2. (attack-resilient micro-economy for media #1) Create a global data/reputation system. If there were some global pool of information (like a blockchain), the origin of a circuit can allow or disallow intermediary hops in a circuit based on their global history. This is another thing that bandwidth tokens are useful for. An attacker would not be able to simply create fake identities, but be forced into long-term contributions with the Tribler network. There are still attacks on such a mechanism, but this would make it much harder to attack at the very least.

[viric]

I guess I was deluded by "tor-like network", or how I imagined tor to be.

[qstokkink]

Well, Tor circuits definitely can't do magic: but it's not all bad, at all. Even in its current form, this is still 10x better than just using a VPN. Also, Tribler is continuously evolving to harden this logic more and more.

[viric]

Oh I think it's great! It's evident people behind tribler put a lot more thought than I in it.