On Tue, Jun 19, 2012 at 2:06 PM, Robert Ransom rransom.8774@gmail.com wrote:
On 6/19/12, Nick Mathewson nickm@freehaven.net wrote:
Filename: 202-improved-relay-crypto.txt
Any new approach should be able to coexist on a circuit with the old approach. That is, if Alice wants to build a circuit through Bob1, Bob2, and Bob3, and only Bob2 supports a revised relay protocol, then Alice should be able to build a circuit such that she can have Bob1 and Bob3 process each cell with the current protocol, and Bob2 process it with a revised protocol. (Why? Because if all nodes in a circuit needed to use the same relay protocol, then each node could learn information about the other nodes in the circuit from which relay protocol was chosen. For example, if Bob1 supports the new protocol, and sees that the old relay protocol is in use, and knows that Bob2 supports the new one, then Bob1 has learned that Bob3 is some node that does not support the new relay protocol.)
This feature is unsafe to use. Each client must use the same circuit-extension protocol for every relay on every circuit it builds.
Do you mean that every client must use at most one circuit-extension protocol on all circuits, or do you mean that every circuit must by built by at most one circuit-extension protocol?
And why?
And how would you have either*of those without having the choice of circuit extension protocol used at any hop in the circuit leak to the attacker which other nodes might be later in the circuit? (In other words, if I'm a guard, and I support an improved protocol, and I know the client supports it, and the middle node supports it, but the client does not use it, I can deduce that the exit node does not support the improved protocol.)
yrs,