De-anonymization risks when using a self hosted bridge at home for your own traffic?

I found a very similar topic, but it was specific to snowflake, while I’m considering webtunnel (and perhaps obfs4), which don’t make separate STUN connection AFAIK.

Could you please help me understand if using a self-hosted (at home) tor bridge as as your own entry node considered harmful for your anonymity?

Is it a problem that the first hop is at your own IP address and the other two hops are external? If so, why or why not? Does it violate any fundamental assumptions behind tor circuits? Are you aware of any academic studies or other publications/documentation that discusses it in more detail?

Advantages of setting up a tor bridge with sole purpose of blending your traffic with other users . Especially as I read (in this guide) that tor can let you reuse the already established tcp connection. directly via the same connection. Other users use your bridge on a regular basis together with you and perhaps also your hidden services. ISP monitoring of your exact connection times should be harder (not sure how much exactly, but still)? I don’t understand why hosting a bridge outside of your geographic location is necessary?

Please see network topology diagram below showing the two scenarios. 1 with bridge hosted on your own network and one with an external bridge. Is any one weaker than the other in terms of de-anonymization risks (as described above)?

image1497×610 63.4 KB

also I found in the original 2004 white paper on tor:
“If Alice only ever uses two hops, then both ORs can be certain that by colluding they will learn about Alice and Bob. In our current approach, Alice always chooses at least three nodes unrelated to herself and her destination.” But could someone explain why they need to be unrelated?

Does it have to do only with correlation attack? Has it ever been more precisely quantified?

I’ve also heard that entry and exit nodes are the most important ones. Wouldn’t increased security of a self-hosted bridge outweigh any potential drawbacks?

I’m not a Tor expert, but IMO always using a local bridge is basically equivalent to having a Tor circuit of 2 hops, instead of 3. Thus, for one given circuit, if just the exit relay and the middle relay collude, they will know the source and the destination IP of the traffic.
Effectively you get no extra privacy from your entry relay if it’s always at your home.

However, to make a conclusion that the actual Tor user is behind that source address, the adversary would have to know that you do, in fact, use Tor in such a way, which most people don’t. I.e. they will know the IP address of the entry relay, but they won’t be sure if the real Tor client is behind that IP, or if it’s on a different IP, but is just connected through this entry node.

If Alice were to pick an entry relay that is always close to her home, the middle relay would know that the Tor user lives close to that entry relay. If Alice were to pick an exit relay that is always close to the destination, the middle relay would know that the destination is close to that exit relay.

IMO it would be safer to just run a relay at home, but not always use it as the entry node. This way your actual Tor client traffic will be mixed with your Tor relay’s traffic, making it hard to differentiate one from the other.

But again, I’m not an expert.

Thank you

always using a local bridge is basically equivalent to having a Tor circuit of 2 hops, instead of 3
yes, that’s correct, please see scenario A in above diagram, where only ISP 2 and 3 are needed to reassemble the circuit

It would help me though if I could understand why tor uses 3 hops in the first place and not 2. I am assuming it’s correct, but in the end you only need to 2 nodes (entry and exit) to reassemble the circuit, so I am not sure what’s the difference really.

I am tempted to conclude though that using the same entry node, especially if it’s in your physical location puts you in higher risk of deanonymization, because it reduces your ‘anonymity set’. I am not 100% sure though, haven’t seen it properly explained yet.

Any potential gain of blending the traffic with other users wouldn’t be worth it?

I found mentions of other people (Ross Ulbricht trying to combat “sniper attacks” on silk road) that used their own bridges but only in large numbers (fleets), not as a single bridge and likely not in the same location.

IMO it would be safer to just run a relay at home, but not always use it as the entry node. This way your actual Tor client traffic will be mixed with your Tor relay’s traffic, making it hard to differentiate one from the other.

Exactly, I am wondering about the same thing - would running your own relay to blend in with others (but not using it directly) would still provide a cover traffic? Are you aware of anyone doing it? It scares me how little such techniques are documented on the internet.

It would help me though if I could understand why tor uses 3 hops in the first place and not 2.

There are at least hundreds of videos online which explain this. See EFF and the Tor Project’s videos on your video host of choice. Or search for the videos on their own sites.

Are you aware of any academic studies or other publications/documentation that discusses it in more detail?

One place to look is the PETs website for technical papers.

@WofWca’s first paragraph sums it up nicely.

…always using a local bridge is basically equivalent to having a Tor circuit of 2 hops, instead of 3. Thus, for one given circuit, if just the exit relay and the middle relay collude, they will know the source and the destination IP of the traffic.

This is made worse by the fact suspect relays can be forced into a middle position in the 3 hop circuit. A miscreant running a malicious relay could be found out by the Tor Project and prevented from being a guard or an exit node. The Directory Authorities can flag that relay for all tor clients to only use as the middle hop. Middle relays, by definition, should only ever communicate with the guard and exit, thus never seeing the client connecting, or the exit traffic. (Answered your first question above. )

ALL tor relay IP addresses are published for anyone to see. So what happens when a malicious relay checks the IP addresses it’s talking with and finds one that’s not on the public list of relays? It can deduce the IP is a bridge. And if you’re running the bridge from your own location, it’s a zero hop step to find you.

I guess it’s possible to configure your torrc to use a four hop circuit to attempt to introduce more relays into the mix, but if your thought is to have a faster connection, this seems like it could be the worst of both words.

Apparently there are some people who hate the tor network and users so much they spend time looking at the size of data blobs traveling over tor. According to the tor man page under HiddenServiceSingleHopMode:

…the fact that a client is accessing a Single Onion rather than a Hidden Service may be statistically distinguishable.

This is because the size of the initial outgoing request won’t have as many relay addresses in it. I’ve read the same regarding onion services which use client authentication, and also those which have multiple public keys in them for client auth; their descriptors will vary in size and a malicious relay serving up descriptors could figure such things out. Too bad they can’t put their brain power to good use, instead of trying to tear tor down.

I am tempted to conclude though that using the same entry node, especially if it’s in your physical location puts you in higher risk of deanonymization, because it reduces your ‘anonymity set’. I am not 100% sure though, haven’t seen it properly explained yet.

Maybe a coincidence, maybe not, but perhaps you started this identical thread on the relays list. [tor-relays] Self hosting bridge at home - de-anonymization risk? I thought the answers were good.

Often times Keeping It Simple (KIS) is best. Since you want to help the network, consider running a Snowflake proxy, it’s far more easy to setup in a typical home network. On the 27th mine helped 81 people for a total of 1.6GiB.

The way I understood it is that changes in tor circuit are designed with a more frequent 2nd and 3rd hops, but less frequent 1st hop to prevent accidentally picking a malicious node.

thanks, I couldn’t find anything specific on hosting a middle node for traffic obfuscation, but perhaps this just a fairly banal idea

hmm that doesn’t sound quite right, if this tor bridge is self-hosted, but also shared with all other tor users this malicious middle node still shouldn’t be able to tell that you are using it at any given moment

I imagine that using 4 hops would make you stand out in some way? Is anyone doing it?

that is correct, I’ve been looking for answer to this question for about a month, so you you may also it in other places - sorry

I was actually planning to selfhost a middle node, I imagine it’s the same principle, I think both help you obfuscate your own usage of tor

also sorry for the late reply