I think 1:1 App/Guard > multipl traffic types in one client. I want to edit the page to reflect that unless you are still unsure.
You mean A) Increase Protection from Malicious Entry Guards: One Guard per Application
is more important than B) New low cost traffic analysis attacks and mitigations? I guess that could be true.
- Attack A) means zero connection privacy maybe for everything all the time.
- Attack B) means the ISP can see which websites are visited all the time.
Yes, please edit.
A): What about users who only use 1 app, the Tor Browser and nothing else?
Yep. I even asked an expert to confirm.
They would be screwed, but only for browsing traffic at that point. Other stuff would be âsafeâ. Combining traffic may or may not provide a marginal protection, but if it doesnât then all of your activitiesâ privacy is blown.
I donât know at all but I speculate it could be ~50-80% of Whonix users who only use the Tor Browser.
Also I donât understand the distinction between application and activity here.
Common ground: Tor Browser is an application, OK. HexChat is another application OK. So far we agree. Now Increase Protection from Malicious Entry Guards: One Guard per Application claims âTor Browser and HexChatâ should use different Tor circuits. Alright.
But why does it matter? From perspective of Tor, itâs all just TCP traffic. Tor doesnât look if it is coming from Tor Browser or HexChat. That difference doesnât exist anymore at that level. (Except these applications are configured to use different Tor SocksPorts.
Now reductio ad absurdum.
- User A): uses Tor Browser. HexChat, Thunderbird, OnionShare, Electrum, Monero â 6 applications â âyou should use 6 different Tor entry guardsâ.
- User B): uses Tor Browser for browsing, uses Tor Browser IRC Chat add-on or IRC webchat, uses cloud file send services, uses web wallet â 1 application â âyou should use only 1 Tor entry guardâ.
As more and more functionality moves from previously standalone applications (HexChat, Thunderbird, âŚ) into the browser the less the distinction between applications makes sense to me.
It would sound a lot more convincing to me to tell user B âuse a different Tor entry guard per activityâ. Why should users not use a different Tor entry guard by activity?
- [1] Considered true (?): use a different Tor entry guard per application
- [2] Considered true (?): do not use a different Tor entry guard per activity
How can [1] and [2] be considered true at the same time?
1App:1G just assumes the worst and doesnât attempt to create cover traffic, but argues for putting your apps/eggs in different guard baskets.
He never argues against segregating website visits to different guards so we can assume this is just as valid. Worth asking once a dialog starts, but logically this advice is equivalent. The idea is to fragment a userâs anonymous traffic so no guard can construct a full picture if it decides to be evil.
Turns out everything I thought I knew about snowflake and bridges was wrong:
https://lists.torproject.org/pipermail/tor-dev/2020-January/014127.html
The stuff running in the browser is proxy for the actual bridge that someone hosts. All bridge types need port forwarding.
You need custom code to mix client traffic and bridge traffic. The benefits are only for Onion services not clients.
In short we can safely scratch that off.