How do you know that Tor nodes are not run by the same entity?

I know that if someone control all the 3 nodes that i connect to while using Tor, he can know who i am.

They do not even need to control all three, just two:

No adversary is truly global, but no adversary needs to be truly global," he says. “Eavesdropping on the entire Internet is a several-billion-dollar problem. Running a few computers to eavesdrop on a lot of traffic, a selective denial of service attack to drive traffic to your computers, that’s like a tens-of-thousands-of-dollars problem.” At the most basic level, an attacker who runs two poisoned Tor nodes—one entry, one exit—is able to analyse traffic and thereby identify the tiny, unlucky percentage of users whose circuit happened to cross both of those nodes. In 2016 the Tor network offers a total of around 7,000 relays, around 2,000 guard (entry) nodes and around 1,000 exit nodes. So the odds of such an event happening are one in two million (1⁄2000 × 1⁄1000), give or take (source).

In addition, as @ukmr pointed out in this post, the NSA doesn’t even need to run their own nodes. Even if you “own” a relay running on a VPS, the NSA probably still has some level of access to it via the VPS provider, who may be legally obliged to cooperate with them by sharing logs and other information. Full-disk encrpytion on a VPS is no defense:

Encryption just helps against an attacker who has to shutdown the server (see dedicated server), otherwise he can just dump the ram of the VPS. This way he gains access to the encryption key (source).

===

We don’t know who run the nodes, right ?

I believe you are right, but the problem of “poisoned nodes” is well known. For example, this article explains some of the attacks that malicious relay operators can perform and how Guard relays can help mitigate them. Here is another article about ways to discover bridges. Here is another article about attacks on Tor.

===

Now how can we know and ensure the most nodes are not run by the same entity, let’s say the American government ?

One way is to encourage “ordinary people” to run their own relays on physical hardware that they control. This will reduce the fraction of poisoned nodes in the network and thereby reduce the odds of de-anonymization for any given circuit. That is why community outreach is so important.

6 Likes