Silk Road forums

Hidden services are still weak to correlation attacks, it just might be a bit harder for an attacker to be positioned to carry them out. I definitely think SR users are safer on Tor than I2P. The fact that I2P users are easily enumerated by itself makes Tor better for SR vendors. If SR vendors used I2P they would be quite fucked, as their crowd size is already "the people who are in this small geographic area where packages are shipped out of". If there crowd size was "The people who use I2P in this small geographic area where packages are shipped out of" they would be totally fucked,

Yep, great point, especially with how few of them there are.

The density of Tor users is fairly low, but not bad.

Looking at just the United States (because the distribution varies too widely from country to country to use the global statistics), there are 90,000 daily Tor users out of the 500,000 total daily users[1]. If my estimate of 3 million monthly users is correct, then there are 540,000 monthly users in the US. Out of a population of 310 million, that is 1 in 575 people.

In a city of 100,000 people, there are about 175 Tor users, which is probably too many to bother investigating unless the vendor is moving kilos.

In a city of 1 million, there are 1750 Tor users, so good luck finding the vendor.

(Alternatively, the vendor could use an obfuscated private bridge, making him impossible to find by watching the network. That defense doesn't exist for I2P users at all.)



OTOH, the density of I2P users is dangerously low.

Assuming that the total number of monthly I2P users is 10 times the number of simultaneous users, that's 200,000 total monthly users.

And assuming the same fraction live in the United States, that's 36,000 people, for a density of 1 in 8600.

In a city of 100,000, there are 12 I2P users.

In a city of 1 million, there are about 120.

I'd say you're fucked if you ship out of anywhere except a handful of metropolitan areas in the United States.

However, there is an argument that people who do not leak their rough geolocation are safer using I2P in some ways. They are definitely less weak to timing correlation attacks than Tor users are, and that is a big advantage. On the other hand they are also far weaker to intersection attacks than Tor users are, due to the fact that they are so easily enumerated. Hidden services can have down time without their anonymity being hurt much if at all, Eepsites that have down time can quickly have their anonymity set size reduced or even eliminated.

And presumably in many cases one can force downtime through application layer attacks, even if I2P is stronger to network layer DOS attacks.



1. It really is 500K, not 1 million: https://metrics.torproject.org/users.html#direct-users

I have never been very impressed by I2P, although it does seem to have the most vocal group of proponents. I personally see it as being similar to the Apple of anonymity networks it has a hardcore fan base of people who know it is the best, but they don't seem to quite know why it is the best. I guess I would compare Tor to Linux and Freenet to BSD.

LOL, that's a great description, and of course that means clearnet is Windows.

A lot of the eepsites are also hidden services, so you can access them over the safety of Tor. Irc2p has an onion address, and I've chatted with the I2P folks there. In general, I find them to be a friendly, enthusiastic group of people who are doing innovative things with that technology.

However, there's not a lot of hardcore criminal activity on the network (mostly bittorrent), so they have no serious adversaries like LE. As such, the security of the network is untested and they are in a honeymoon period. As soon someone decides to distribute massive amounts of CP or run a large drug market or terrorist forum on the network, their illusion of safety may come crashing down rather quickly.

Tor has already demonstrated its resistance to investigations and attacks by the FBI, Dutch police, and Anonymous hackers, among others.

Freenet is also estimated to have about 20K simultaneous users. There are two ways of looking at this though. Tor certainly has the most concurrent users, I think it actually serves over a million people per day now. On the other hand, Tor has the least routing nodes of the three major anonymity networks (Tor, I2P, Freenet). Tor has about 3,500 routing nodes, I2P and Freenet have about 20,000 routing nodes each. You get anonymity gains by having a bigger userbase as well as by having more routing nodes (in the case of I2P and Freenet clients and routing nodes have about a 1:1 ratio, for Tor the ratio has been about 400:1 .) If somebody can see Tor exit traffic, they know the traffic originated from one out of over a million possible Tor users (since more than a million people use Tor, just not at the same time).

I think that number is closer to 3 million, based on annual browser bundle downloads (36 million), and adjusting for re-downloads of monthly releases (divided by 12).

On the other hand, if they see content published to Freenet, or somebody accessing an Eepsite, that content/access came from one out of only about 20,000 users.

Yes, and they also (potentially) know all 20K IP addresses, whereas they know 0 Tor user IP addresses unless they run entry guards, and then they know some single digit percentage of IP addresses.

Looking at it another way, assuming all nodes route the same amount of traffic (which they certainly do not, but for the sake of argument. In reality we would need to compare bandwidth added). an attacker who adds 1,750 nodes to Tor can see roughly 50% of the traffic routed through Tor, an attacker who adds 1,750 nodes to I2P can only see 8.75% of traffic routed.

Adding 1750 nodes (or even a small number of nodes that add 50% more bandwdith) will be much more noticeable on Tor than on I2P, so in practice you may be worse off with I2P, since you would simply stop using Tor.

So from the start your anonymity with Tor is greater than your anonymity with I2P or Freenet, because you have a much larger set size to blend into. But from the specific perspective of an end point timing attack (by far the most worrying attack against Tor), you will be anonymous to the set size until you are deanonymized. This is really roughly speaking though because there are so many other things to take into consideration, but for the most part I think many users of Tor (especially the non-pseudonymous ones) will continue to be anonymous to the set size of users until they are deanonymized with a timing attack. Having a bigger set size to blend into at first is beneficial, but the risk of falling victim to a totally deanonymizing timing attack is also a lot higher because the number of routing nodes is a lot smaller (and therefor it is easier for an attacker to control a larger percentage of them).

It's not really comparable, because most I2P activity is internal to the network. So when discussing a correlation attack, it's only fair to compare "Tor use that only involves hidden services" to I2P, or to compare "I2P use that only involves outproxies" to Tor. On Tor you have 800 exit nodes, but as far as I know there are a scant few I2P outproxies. In fact, an attacker could easily run outproxies and control most of that activity.

A large percentage of the SR community only uses hidden services, specifically the market and this forum. So from that perspective, they are not susceptible to correlation attacks, their IP address is more difficult to enumerate (than on I2P), and they are part of a much larger anonymity set.

Setting aside attacks on the services, would you say SR users are safer on Tor or I2P?

Overall I definitely like Tor the most. It also has the enormous benefit of allowing traffic to exit the network. I2P is weak to an assortment of attacks that Tor is well protected from (although I2P is better protected against other attacks that Tor is not well protected from, for example internal timing attacks), Freenet is difficult to use for service providers, etc.

Yes, Tor's focus on allowing safe clearnet access is a huge benefit, and (I believe) the main reason it is the most popular anonymity network. However, another big weakness for I2P is that there is no safe web browser, leaving I2P users much more vulnerable at the application layer (regardless of network layer considerations).

Although it's noteworthy (and perhaps sad) that alcohol makes me much less anxious. I become a very chatty and social drunk, as numerous people in this community can attest. Which supports the idea that many mental disorders are predictive of substance abuse.

Although, I think the biggest issue with I2P is that there's no equivalent to TorBrowser. Some consider it a feature that you can use any browser, as long as you point it at the I2P tunnel, because a lot of people like to use Chrome, but vanilla browsers are vulnerable to all kinds of privacy leaks that TBB protects against. Eepsites can induce vanilla browsers to run Flash and Java, unless you take explicit steps to disable them. There are also issues with state isolation, cross-site identifiers, disk caching, and fingerprinting a la:

https://panopticlick.eff.org/

If you run Google Chrome with some unique set of fonts and I run Firefox with another unique set of fonts, we are uniquely identifiable across all eepsites. Here are all the things that TorBrowser protects against, which vanilla browsers don't:

https://www.torproject.org/projects/torbrowser/design/

TBB is patched to disable potentially dangerous JavaScript and CSS, without having to disable all JavaScript and break most web sites.

So you can either fix all those problems yourself (and apparently some of them can't be fixed in Chrome), or you can use Tor and TBB out of the box.

For now, I'll stick with Tor.

It is really hard to enumerate Freenet clients if they run in darknet mode.

Yeah, darknet mode is why I said "almost all". Presumably, very few people use it besides people in oppressed countries, where connections to the other (easily identifiable) nodes are blocked.

Darknet mode is the equivalent of an entry guard, except there is no mechanism to randomly pick from a set of guards, so you get linkability between the darknet guard and the person being guarded.

It is trivial to enumerate all I2P clients though. It is really hard to enumerate Tor clients because of entry guards and bridges and obfsproxy.

Freenet is really unique because it aims to provide plausible deniability in addition to anonymity. I2P has a little bit of plausible deniability from internal attackers (because essentially all clients route for each other, and there are variable length  paths), but not external attackers. Tor on the other hand is focused entirely on anonymity, it has pretty much no plausible deniability at all except for *maybe* if you run as an exit node and claim that connections to the clearnet came from Tor users (and even this will not protect you from an external attacker). If an attacker watches your Tor entry guard and the destination you surf to, you are pretty much fucked. If your direct freenet peers watch an illegal file being routed to you, they still cannot easily prove that you actually requested the file, for all they know you are just routing it for somebody else like they are. If they see you insert an illegal file into the network, they don't know if you are the person who originally published the file or if you are just routing on an inserted file like they are. The plausible deniability of Freenet is what makes it so much more robust than Tor.

I agree, it is more robust than Tor for users, with some big trade offs for publishers and service providers.

But like you mentioned, Freenet is very different from Tor and I2P. You don't run a normal server and anonymize it with Freenet, rather all of the nodes make some of their hard drive space available and content is hosted redundantly distributed throughout the network. This means running php forums etc on Freenet is impossible. However I do think a site like SR could operate on Freenet, it would just need to use custom client side software designed to work with Freenet. Just like there are Freenet specific software packages for forums, E-mail, etc.

Yeah, everything has to be moved to the client. I think it's more complicated than it looks to implement all of SR's features that way (managing bitcoins, for example), and potentially puts users at greater risk when they have to run a Java app made by an anonymous person. If the SR hidden service gets pwned and you anonymize your bitcoins and encrypt your address, there's not much LE can do to you. But if LE compromised DPR and modified his Freenet app, they could pwn everyone.

They can monitor enough relays to pwn a few of the people some of the time.

The thing is, since anyone can add relays to the network, then anyone can do this. China or Russia can add relays to spy on CIA agents. You either get robust private communication for everyone or no one. So the US government benefits from an anonymity network that they can't completely pwn.

i notice that the latest version of tails offers obfsproxy which in theory i believe prevent isp from seeing you are even using tor? i hope i got that right.so can anyone who is tech savvy as i certainly arent answer this for me please.

so if my above statement is correct would this work in preventing my isp from seeing my tor activity?

It depends on how interested your ISP is in finding out if you're using Tor.

In most cases, using any bridge should be sufficient, since the vast majority of ISPs are not spamming the BridgeDB to identify the bridge IPs.

The purpose of an obfsproxy bridge is to defend against deep packet inspection, which is a way to fingerprint (even encrypted) connections, to determine what type of connection it is. obsproxy tries to look like another type of connection.

There may be a couple dozen countries in the world where ISPs are doing that, and the victims of this censorship are a small minority of Tor users, but Tor Project gets paid to help those people, so we have obfsproxy.

Now, the reason why I didn't give an absolute Yes answer to your question, is that apparently China is able to identify and block connections to obfsproxy bridges that use version 2 of the protocol. They've either figured out how to DPI the connection, or they blast suspicious IP addresses with random blocks of data and look at the response.

So, it is possible to identify obfs2 bridges, and it could be possible to identify obfs3 bridges in the future. I guess then they'll come up with an obfs4 protocol or something totally different. It's a never ending cat and mouse game where they try to stay one step ahead of the adversary.


But if you're in a western country, you're *probably* ok with any bridge.

So every time i boot into tails i press tab type bridge on boot up i enter the two obfs2 address into my network settings and off i go.

is this correct?

Well, you might as well go with obfs3 at this point, to future proof your setup a little.