By looking at probability graphs for nodes at metrics.torproject.org, it seems that exit nodes can't also be guards (they have 0.0000% probability of serving as guard) and vice versa. Why is that so?
Asked
Active
Viewed 624 times
3
-
Just a guess, but it might be because exit nodes are in higher demand than guards, so if a node can be used as an exit, it is not added to the guard set. But you can use an exit node as a guard if you choose your own circuit. – Steve Dec 31 '18 at 18:17
2 Answers
1
Because guard relays (also called entry relays) can never be exit relays.
If you use a proxy or VPN, you have some anonymity, but also a single point of failure. If someone compromises the machine doing the relaying, they know your IP and the IP of where you're going.
Tor protects against that by having at least 3 proxies in between (relays):
You---[ Tor 1 (entry) ]--[ Tor 2 (middle) ]--[ Tor 3 (exit) ]--Destination
Relay 1 knows who you are, but not where you're going.
Relay 2 only knows where to forward it in the network.
Relay 3 knows where you're going, but not who you are.
This way, an attacker looking at the network can't easily see where you're going by looking at where the entry node is sending its data, or where the exit node is getting its data.
It follows that when you're trying to separate things this much, the two most sensitive relays, entry and exit, can not be run on the same machine.
-
1sure, but I still don't understand why shouldn't a guard relay also be an exit relay for the circuit in which other relay acts like a guard. Ofcourse it'd be a bad design that in the circuit the same relay acts like both guard and an exit, but I'm asking for the first scenario. – white_poppy Dec 30 '18 at 14:31
-
Your original phrasing doesn't make that distinction, but that's a good question. My guess is to limit how much (types of) information one node can get about the network, and to limit the impact of a single machine getting compromised. – J.A.K. Dec 31 '18 at 04:37
0
If the same relay is simultaneously used as a guard and an exit, it can deanonymize you.
The Tor client process selects the three relays which are to be used in any given circuit. Its selection is generally random, but there are a few exceptions. For example, there is a bias towards relays that have a higher bandwidth capacity, which is done in order to avoid overloading smaller relays. Additionally, no two relays on the same subnet will be chosen. Finally, no two relays in any circuit can be the same.
So why is this done? If the guard and exit positions were occupied by a single relay in any circuit, then that relay both simultaneously knows who you are and what you are doing. In essence, using the same relay as a guard and an exit short circuits the connection, allowing that relay to fully deanonymize you. Even if the relay is not malicious and does not log, its ISP does, and its ISP can deanonymize you.
This is actually the same reason why it's so dangerous to run Tor over Tor. Some people are mistakenly under the impression that it would increase anonymity, but it can actually guarantee deanonymization if done for a sufficient period of time. This is because the two clients cannot communicate with each other, resulting in a chance that the same relay will be used simultaneously as a guard and an exit.
forest
- 64,616
- 20
- 206
- 257