[tor-relays] Self hosting bridge at home - de-anonymization risk?

is there any documentation on self-hosting a bridge at home and using it for your own connections?
I am trying to understand why this isn't a recommended setup, would it lead to de-anonymization? Why/how much?
your traffic blends with other users directly via the same connection
other users use your bridge on a regular basis together with you and your hidden services
ISP monitoring of your exact connection times are made harder (not sure how much exactly)
I don't understand why hosting a bridge outside of your geographic location is necessary?

is it a problem that the first hop is from your own IP address if the other two hops are external?
were there any studies or similar questions asked before? I couldn't find anything

I can't find help anywhere, so would appreciate any advice

Tersely: CWE-656.⁽¹⁾

   If you have nothing to hide about your security, you have nothing to fear. But in the proposed setup you have something to hide, and therefore to fear about.

   The approach relies entirely on the adversary not being aware, how things are set up. With this reasoning we could simplify it even further. Set up your own exit node, connect directly from it, skipping the entire Tor. As long as the adversary doesn’t know, you blend into traffic and can’t tell the difference.

   But this isn’t how security works and security through obscurity is a frequent anti-pattern. Tor’s security is rooted firmly in maths and network’s design, that are completely open. Whatever the adversary knows about them, it’s of little help. The guarantees of high cost to circumvent the protection still holds.

   With the proposed setup you throw away those guarantees. Replace them with little more than hope. Yes, it does provide some protection. But this is the same kind of protection as hiding keys under the doormat.

Cheers, mpan

Thank you mpan, I agree, is the problem that I am using:
1. the same entry node for every circuit?
2. entry node can be traced to me directly, because it's hosted in my geographic
location (at home)?

I agree that blending your traffic with other users is security by obscurity and
it's not worth the cost of weakening tor network model
but what if you used tor normally, not through your own bridge, but through
"regular" randomly chosen 3-hop circuits and at the same time run a tor relay
(entry/middle) that regularly hosts tor traffic of other users
is it incorrect to assume that this would add some level obscurity that would
benefit your anonymity? This wouldn't require weakening the tor circuit model
anymore

s7r

Why do you think this is a good setup, what do you think it provides in
addition to the default usage?

I thought this will let you blend in your traffic and hide it from your ISP,
however as you mentioned later this may be not worth the risk (if it's of any
benefit, at all). Also a vanguards guide mentioned that you could reuse tcp
connections of other users:

If you use a bridge hosted on the same machine, or same LAN, it will
connect to the Tor network just fine, but every circuit will select hops
number #2 and #3 (the exit) random. After N circuits, there is a 100%
probability you might run into a malicious hop #2 or hop #3 or even both
at the same time, discovering "your entry point" (...) it's something Tor
tries really really hard to protect you from.

That is brilliant, yes, I thought there would be something implicit in the way
Tor circuits are designed that wouldn't work with this setup. This now makes
perfect sense. That is conclusive to me.

If you make this bridge public (other Tor users use it too), it provides
better protection and fingerprinting for hops #2 and #3, but your ISP
will then know which Tor traffic is yours and which is relayed for other
Tor users, because it will simply measure the bandwidth in both
directions (in and out).

You don't think that blending your traffic with other users "at the source
address" (for example by running a middle/entry node) adds at least some layer
of obscurity (protection from ISP)? I am wondering if it wouldn't be an argument
to convince all tor users to also run their own relays to increase protection of
their own anonymity against their ISPs? This blending was hinted at for hidden
services at least in the guide to vanguards I linked above:

The studies are everywhere, and it's one of the most important attacks
that were tested. Search why we switched to static Guards (entry points).

Yes, I saw it mentioned a few times that entry nodes don't change as often as
other two hops to minimize chances of getting a malicious one, but I didn't make
the association in my setup, which you made now - thanks again.

You are better of in using a bridge operated by you but on a different
network, maybe different geographic area, to make it harder for an
observer (e.g. to have to watch multiple different places at once).

Yes, that was my conclusion as well and likely not just one bridge but a fleet
of bridges from trusted hosting companies. That's much more work.

use a bridge that is shared with other users

completely agree

That's pretty much my situation. I have a non-exit node at home, and I use sometimes Tor normally, for example with Torbrowser, who doesn't know it's sitting on a tor node and connects with the usual 3 hops.

Should anyone look at the traffic at my ip, he would see a constant flow towards other Tor nodes, and wouldn't know when it's also me browsing.

I really don't see any danger in this. I believe it would be worse if my personal Tor traffic popped up at specific moments among normal traffic. An observer would at least know when I'm Tor-ing. I don't see how this scenario would be better. Am I wrong?

My two cents, bye, Marco

Thank you mpan, I agree, is the problem that I am using:
1. the same entry node for every circuit?

   Yes

2. entry node can be traced to me directly, because it's hosted in my geographic
location (at home)?

   Yes up until word “because.” Geographic location is irrelevant or only tangentially relevant. The entry node itself is the identity.

but what if you used tor normally, not through your own bridge, but through
"regular" randomly chosen 3-hop circuits and at the same time run a tor relay
(entry/middle) that regularly hosts tor traffic of other users
is it incorrect to assume that this would add some level obscurity that would
benefit your anonymity? This wouldn't require weakening the tor circuit model
anymore Yes, this is correct. The more Tor traffic goes through the machine

that identifies you, the more confused an adversary is. It also makes naïve correlation attacks impossible,⁽¹⁾ and increases cost of more advanced ones.

I have a non-exit node at home, and (...) I use Torbrowser that connects with the usual 3 hops.

Thanks Marco, yes, that's what I'm hoping to setup now, as well, however I
haven't seen this setup recommended on the official torproject websites. If you
are aware of any published studies or anything mentioned at conferences, please
let me know. Tor network is a complex subject and although it makes sense to me
it doesn't mean that a professional would take the same approach.

> but what if you used tor normally, not through your own bridge, but through
> "regular" randomly chosen 3-hop circuits and at the same time run a tor relay
> (entry/middle)

This wouldn't require weakening the tor circuit model
anymore. Yes, this is correct. The more Tor traffic goes through the machine
that identifies you, the more confused an adversary is. It also makes
naïve correlation attacks impossible,⁽¹⁾ and increases cost of more
advanced ones.

That is great news mpan, thank you. That would incentivize users to also become
relays - why isn't it recommended more often? This is the first time I ever hear
about it and it sounds like a powerful idea. Normally I only see tor relay
operators claim that they run tor relays purely altruistically:
https://www.reddit.com/r/TOR/comments/6znjkg/why_would_anyone_setup_a_tor_relay/
Are you aware of any articles from torproject or research papers confirming that
hosting tor relay at your own IP does in fact help your own traffic blend in?
I've looked through all tor proposals (Tor Proposals - Tor design proposals)
and many research papers (https://www.freehaven.net) and couldn't find any
mentions of this?

Sorry bjewrn2a,

I'm not aware of any paper about my approach. It just makes sense to me, and apparently to other people in this thread. Hopefully somebody from the Tor Olympus will tackle the subject one day.

Bye, Marco

All Tor relays -- even non-exit relays -- are in a public list. Many sites and services block access to all traffic coming from a Tor relay IP address. Either they don't understand how Tor works or (more likely, in my experience) they're just hostile to Tor.

If you host a relay on your home IP, you'll likely find that you are blocked from streaming services and other web sites (Cloudflare, for one, facilitates this and by some reports they control about 30% of web traffic).

but what if you used tor normally, not through your own bridge, but through
"regular" randomly chosen 3-hop circuits and at the same time run a tor relay
(entry/middle)

This wouldn't require weakening the tor circuit model
anymore. Yes, this is correct. The more Tor traffic goes through the machine
that identifies you, the more confused an adversary is. It also makes
naïve correlation attacks impossible,⁽¹⁾ and increases cost of more
advanced ones.

That is great news mpan, thank you. That would incentivize users to also become
relays - why isn't it recommended more often? This is the first time I ever hear
about it and it sounds like a powerful idea. Normally I only see tor relay
operators claim that they run tor relays purely altruistically:
https://www.reddit.com/r/TOR/comments/6znjkg/why_would_anyone_setup_a_tor_relay/

   To know why Tor Project itself doesn’t speak on this matter, you’d need to wait for a reply from somebody from the project.

   I may speculate, that the two topics are orthogonal: running a relay and using Tor. They don’t interfere with each other. In your original question they didn’t either. The problem was not running a relay and using Tor, but using Tor with the number of hops effectively reduced.

   It would also be a poor advice, if directed towards a person wishing to only connect to Tor. Running a relay from home isn’t without downsides. Both for the operator (bandwidth use, facing hostility) and the network itself (completely inexperienced person is an easier attack target).

Are you aware of any articles from torproject or research papers confirming that
hosting tor relay at your own IP does in fact help your own traffic blend in?
I've looked through all tor proposals (Tor Proposals - Tor design proposals)
and many research papers (https://www.freehaven.net) and couldn't find any
mentions of this? Specifically for Tor? No. For exactly the same reason I can’t point

you to any research that confirms, that downloading 500 kB/s and 200 kB/s over Tor requires 700 kB/s. It’s a trivial consequence of basic knowledge for the given field. In this case probabilistics, flavored with practicality of correlation attacks and with signal processing basics (none of this in Tor specifically).

>> The more Tor traffic goes through the machine that identifies you,
>> the more confused an adversary is. It also makes
>> naïve correlation attacks impossible,⁽¹⁾ and increases cost of more
>> advanced ones.

   To know why Tor Project itself doesn’t speak on this matter, you’d
need to wait for a reply from somebody from the project.

   I may speculate, that the two topics are orthogonal: running a relay
and using Tor. (...) The problem was not running a relay and
using Tor, but using Tor with the number of hops effectively reduced.

True, I believe the original question is solved now - as you pointed out my
proposal of self-hosting and using a guard node from your public IP would put it
at a risk of de-anonymization to various attacks that tor network and many new
proposals tries hard to avoid (vanguards in arti is a great example). You
rightly mentioned that guard node is intentionally set for longer periods to
make it less likely for a malicious relay to be chosen.

There were two aspects to this question. 1. whether it's a de-anonymization
risk, which you solved. 2. whether hosting tor traffic of other users around
your public IP will help you blend in and strengthen your anonymity. While it
makes sense to me and I believe to other users as well if performed via a
separate relay, but I would prefer to find more third party academic source,
ideally from torproject itself to confirm that.

I would worry about my IP address at home ending up on a blacklist, even
with a bridge. Google and Microsoft have hidden blacklists with secret
criteria to be listed there, and to get off them once listed is a
long-winded pain. You only know there is an issue when emails won't
arrive at gmail or Microsoft managed accounts and some web pages won't load.

WebTunnel https bridges seems safe and so far and my three had not ended up
on blacklists on my VPS servers. I think because they are still a minority
sport and have not been found by the blacklisting pedants.

Thanks Gerry, I will bear that in mind. My ISP contract provides only a dynamic
IP, so worst case scenario I will have to wait a few weeks for it to change (or
get my ISP contract rescinded ). Want to try it myself and see how hard
exactly my life will become as a tor operator.

All Tor relays -- even non-exit relays -- are in a public list. Many
sites and services block access to all traffic coming from a Tor relay
IP address. Either they don't understand how Tor works or (more likely,
in my experience) they're just hostile to Tor.

If you host a relay on your home IP, you'll likely find that you are
blocked from streaming services and other web sites (Cloudflare, for
one, facilitates this and by some reports they control about 30% of web
traffic).

Thanks Ron, I will bear that in mind. Want to try it anyway and see how it goes.

I would worry about my IP address at home ending up on a blacklist, even
with a bridge. Google and Microsoft have hidden blacklists with secret
criteria to be listed there, and to get off them once listed is a
long-winded pain. You only know there is an issue when emails won't
arrive at gmail or Microsoft managed accounts and some web pages won't load.

   If anything, Alphabet and Microsoft are among the last ones to make a fuss about running a relay. Whatever I think of both companies, nowadays their security teams are top notch experts. They actions aren’t rooted in hearsay and ignorance. In 10 years, including an early experiment with a limited exit relay, I experienced zero issues.

   In my experience the biggest offenders are:
  • Governmential agencies and companies, with their networks run by absolute ignorants. Hardly capable of using a computer, shielded from the outside influence by procedures, protected from responsibility by operating within a political environment.
  • Small entities, both commercial and not, which are ignorant or lack resources to remedy the situation. They hear word “Tor,” they think “evil,” they blackhole packets, period. There isn’t even a way to contact them.
  • Companies offering security-as-a-product, or rather their customers. Customers blindly delegate tasks to the company, usually waiving their agency in that matter. The solution suppliers primarily care about brand image and marketing, not about actual quality. End of story, you’re trapped between “we can do nothing” and “we don’t care.”