[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2828: address remaining anonymity-violating linkages

[Tahoe-LAFS]

#2828: address remaining anonymity-violating linkages
--------------------------+---------------------------
 Reporter:  warner        |          Owner:
     Type:  defect        |         Status:  new
 Priority:  normal        |      Milestone:  undecided
Component:  code-network  |        Version:  1.11.0
 Keywords:  anonymity     |  Launchpad Bug:
--------------------------+---------------------------
 As described in #2384, even with Tor and ephemeral client->server Tubs,
 there are some remaining ways that servers (or the Introducer) can link
 the various actions of a single client, to build up a "client identifier".

 * storage servers can recognize multiple connections from the same not-
 yet-rebooted client
 * when Accounting is enabled, clients may present the same long-term
 pubkey to all servers (we might disable accounting when private-mode is
 turned on)
 * by watching storage-index access patterns, servers can probably
 recognize specific clients, or identify files that are shared by multiple
 clients (e.g. if the server observes a long delay, then fetches of SI A,
 then B, then C, then A is probably a rootcap, B is a subdirectory, and C
 is a file)
 * a malicious Introducer could deliver different (tagged) server
 announcements to each client, then watch the resulting connections, to
 correlate the client's main TubID with the server requests it then makes
 * client+server nodes use the same Tub for outbound introducer connections
 and inbound storage connections, which might reveal something (the TubID
 is included in the published announcement, so it's not clear that we can
 hide anything here)

 This ticket is about either addressing these linkages, or declaring them
 unfixable (so WONTFIXing this ticket is acceptable).

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2828>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage