Tor Entry Guards

I’m quite confused with Tor Entry Guards Whonix wiki article (can’t post the link).

Previously, I was religiously following the rule “less entry guards = better security”, based on Whonix wiki recommendations.

Many well-known, enhanced anonymity designs like Tor, Whonix ™ and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user.

Creating a new Whonix-Gateway ™ (sys-whonix) will likely lead to a new set of Tor entry guards, which is proven to degrade anonymity.

Forcing the rotation of guards more often than Tor’s default is dangerous for several reasons:

• It increases the likelihood of a compromised or malicious Tor guard being selected. This raises the chance of a successful correlation attack if the adversary runs Tor exit relays in the network

According to this information, more entry guards = bigger attack surface, higher chance of a compromised Tor guard. So, if you use multiple Workstations with multiple Gateways, it is recommended to use one entry guard for all Tor applications. That is what I always thought before.

Now it is absolutely different:

If I’m correct, Increase Protection from Malicious Entry Guards: One Guard per Application paragraph of the article is fairly new.

It was discovered that 1 guard/client per internet-connected program (not identity!) is the safest possible configuration. In fact, the probability of a network adversary observing a user’s activities is lower than the default scenario, whereby one Tor Entry Guard is relied upon for all applications.

So, I was wrong all the time? Different entry guards should be used not just for every separate identity, but per every internet-connected program?

For example, I have 10 separate identities. Each one of them has it’s Tor Browser, Email, IRC, Jabber and Mumble (5 programs total). According to this recommendation, I should use 50 different entry guards (50 different Gateways)?

@HulaHoop I would be very glad if you could help me to understand this topic.

Reading the footnotes of that wiki chapter Increase Protection from Malicious Entry Guards: One Guard per Application might also help finding out where this is coming from.

There are various issues with that wiki chapter.

Increase Protection from Malicious Entry Guards: One Guard per Application

One Guard? Meaning literally a single Tor entry guard (one IP address) only? Not the Tor default which is a set of Tor entry guards. A set meaning multiple.

How many Tor entry guards will Tor use by default? That’s a good question.

• see Tor manual NumEntryGuards
• guard - Does increasing NumEntryGuards decrease anonymity? - Tor Stack Exchange
• [tor-relays] We're trying out guard-n-primary-guards-to-use=2 - tor-relays - Tor Project Forum

Maybe that wiki chapter needs updating anyhow due to some new developments. Namely 1) above forum post by Roger and 2) Vanguards - Tor Anonymity Improvement? I think when that wiki chapter was written that was prior 1) (for sure) and prior 2)?

Increase Protection from Malicious Entry Guards: One Guard per Application

If taking this literally, does it mean 1 guard or leave the number of guards up to Tor?

That wiki chapter might also conflict with the other wiki chapters…

• Does Whonix ™ Modify Tor?
• Can Whonix ™ Improve Tor?
• Tor Routing Algorithm

…where we are essentially saying “leave the Tor routing algorithm to the Tor developers”.

In fact, the probability of a network adversary observing a user’s activities is lower than the default scenario,

Why is the probability lower?

What’s the default scenario?

To apply this Increase Protection from Malicious Entry Guards configuration, follow these steps:

1. Import a Whonix-Gateway ™ into the hypervisor that has never been started.
2. Take a snapshot and name it “Original”.
3. Start Whonix-Gateway ™ and wait for Tor to finish bootstrapping (connecting).
4. After Tor has connected, shutdown Whonix-Gateway ™ and take another snapshot - the naming convention should match the intended activity, such as “Email”.
5. This snapshot should be used with all Whonix-Workstation ™ snapshots related to/called “Email”, whether it is identity “John Doe”, “Jane Doe” and so on. Note the Workstations should also be generated separately from a clean baseline.

When a separate activity is required such as IRC, users should revert to the Whonix-Gateway ™ snapshot (labelled “Original”), then repeat the same steps. That is, allow it to boot and connect to Tor, shut it down, then take a snapshot entitled “IRC”. Note that if a webpage IRC chat client is used, then this should be done from “Browsing” snapshot.

I don’t think these instructions do actually anything at all. [*] Instructions do not include any step to change any Tor entry guard. By following the instructions as is, the same Tor entry guard will be used for “Email”, “IRC” and “Browsing”.

[*] Before Tor does guard rotation.

In any case, for all of this, very much also this applies:

I don’t think these instructions do actually anything at all.

Really, these instructions are nonsense which confuses me even more. It’s either a mistake or the whole “One Guard Per Application” concept is wrong.

That’s why I initially quoted @HulaHoop, because it seems that this idea is based entirely on his discussion with Tariq Elahi.

Thanks for dropping in. This advice from Tariq of one guard per app/use case supersedes the current conventional wisdom of one guard for everything. It compartmentalizes your activity so even if you were to have a bad guard only part of what you do is exposed while the downside of using more more guards minimally raises the risk of exposure.

Tor’s “default” is of little relevance here since it has no concept of virtualization or different apps. This is an overlay and a product of the way we use it in Whonix.

No let me explain below

No You use 5 different guards only because it’s the number of apps we care about. So five different snapshots of the Gateway started from a pristine condition.

The only time you’d use separate GWs is when you want to multitask and run two activities at the same time rather than firing up a single snapshot *say for email first) doing your thing then restarting the next one for Mumble for example.

• I don’t think these instructions do actually anything at all. Meaning, the instructions don’t influence Tor entry guards.
• This is because the instructions do not include any step to change any Tor entry guard.
• By following the instructions as they are currently written, the same Tor entry guard will be used for “Email”, “IRC” and “Browsing”.

Interested. Found:

'Is the Whonix advice on using multiple guards better than the Tor standard? - General Discussion - Tor Project Forum

No answers yet.
@HulaHoop when you have time please review Tor Forum link. Think discussion presents your position but hate assume.

Making the Tor guards page easier to understand is on my long list but eventually I’ll do it. This thread you ink to is unfortunately of littel value since no reputable dev has chimed in, but they need not do so since this question has already been settled by a researcher whose work guides their dev planning.

Thank you for taking the time to look.

Good to know. Appreciate response and all your work.

Understood. No worries. Thanks!

In the case that the app is a web browser then the Tor blog post makes sense, but you could take their advice and also do the 1 app per 1 guard proposal, and get the best of both worlds.

Which blog post was Tariq referring to?