%deffont "standard" xfont "Arial:style=Regular" %deffont "thick" xfont "Arial:style=Bold" %deffont "typewriter" xfont "Courier New:style=Regular" %deffont "italic" xfont "Arial:style=Italic" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%deffont "standard" xfont "comic sans ms-medium-r" %%deffont "thick" xfont "arial black-medium-r" %%deffont "typewriter" xfont "courier new-bold-r" %%deffont "type2writer" xfont "arial narrow-bold-r" %%deffont "standard" tfont "standard.ttf", tmfont "kochi-mincho.ttf" %%deffont "thick" tfont "thick.ttf", tmfont "goth.ttf" %%deffont "typewriter" tfont "typewriter.ttf", tmfont "goth.ttf" %%deffont "standard" xfont "helvetica-medium-r", tfont "arial.ttf", tmfont "times.ttf" %%deffont "thick" xfont "helvetica-bold-r", tfont "arialbd.ttf", tmfont "hoso6.ttf" %%deffont "italic" xfont "helvetica-italic-r", tfont "ariali.ttf", tmfont "hoso6.ttf" %%deffont "typewriter" xfont "courier-medium-r", tfont "typewriter.ttf", tmfont "hoso6.ttf" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings per each line numbers. %% %default 1 leftfill, size 8, fore "black", back "white", font "thick", hgap 1 %default 2 size 8, vgap 10, prefix " ", ccolor "black" %default 3 size 6, bar "gray70", vgap 0 %default 4 size 6, fore "black", vgap 0, prefix " ", font "standard" %% %%default 1 area 90 90, leftfill, size 9, fore "yellow", back "blue", font "thick" %%default 2 size 9, vgap 10, prefix " " %%default 3 size 7, bar "gray70", vgap 10 %%default 4 size 7, vgap 30, prefix " ", font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 5, vgap 40, prefix " ", icon arc "red" 50 %tab 2 size 4, vgap 35, prefix " ", icon delta3 "blue" 40 %tab 3 size 3, vgap 35, prefix " ", icon dia "DarkViolet" 40 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %center, size 8, font "thick", back "white", fore "black" Anonymity loves company: usability as a security parameter %size 7 Roger Dingledine The Free Haven Project %font "typewriter", fore "blue" http://freehaven.net/ %font "thick", fore "black" WUPSS, July 2004 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Outline %leftfill Anonymity is a network effect Usability: "whether it does what people want" Theory: How to align usability with security Practice: The deployed systems don't match up so well with the theory %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anonymity: Who needs it? Private citizens advocacy, counseling, whistleblowing, reporting, ... %size 6 Government applications research, law enforcement, tip lines, security %size 6 Business applications %size 5 (hide relationships and volumes of communication) Who is visiting job sites? Which groups are talking to patent lawyers? Who are your suppliers and customers? Is the CEO talking to a buyout partner? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anonymous transport, not data I'm talking here about the low level transport. By default the transport should leak no information, and then the user can choose from there what to disclose. Cookie scrubbing, etc needs to happen too, but at a higher layer. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Mixing with other messages %newimage -xscrzoom 75 "F5.eps" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anonymity is a network effect Unlike encryption, it's not enough for just one person to want anonymity Usability affects security! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Distributed trust An anonymity system can't be just for one entity (even a large corporation or government) You must carry traffic for others to protect yourself But those others don't want to trust their traffic to just one entity either %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The Economics of Anonymity, Financial Crypto 2003 Anonymity requires _inefficiencies_ in computation, bandwidth, storage Issue one: enough traffic to create anonymity Issue two: enough capacity to handle users Result: there is an equilibrium! High-sensitivity users run nodes, low-sensitivity users provide cover traffic %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Wait, this is only high-latency traffic. Most users prefer faster traffic, and also streams. (interactive speeds: web browsing, AIM, ssh, etc) We can crank down the latency -- which attracts more users, but alas they mix less well. So we want it faster, to get better security. And we want it slower, to get better security. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page One analogy Securing all the machines on the Internet If other people have lax security, this impacts my spam, distributed denial-of-service, etc. Security is a network effect here too. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Practice: Mixminion http://mixminion.net/ Deployed high-latency system. Paper at IEEE Security&Privacy 2002. We talked about high-sensitivity users running nodes. In reality, The high-sensitivity people don't want people to realize even that they care. The people who run nodes do it to help the world (human rights, civil liberties, ...) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Practice: Tor http://freehaven.net/tor/ Deployed low-latency system. Paper at Usenix Security 2004. Many many more users. Also nicer because it's easier to integrate with a web browser than a mailer. If we made it usable for file-sharing, we'd have even more. Not sure that we want that though. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page More issues Hard to get people to run exit nodes. Hard to safely accept arbitrary servers. Some attacks on anonymity still work. Many users will be happy with a single-hop proxy. Socks proxy (dns problems) vs VPN/IP tunnel (install problems). Packages (apparently) mean the logs are hidden.