11

Being a LiveCD with no persistent storage by default, Tails currently does not use persistent Tor entry guards. In a recent post on the Tor blog, arma discussed the possibility of "improving Tor's anonymity" by increasing entry-guard persistence.

Is it dangerous to use Tails without persistent entry guards? From discussion on the Tails wiki, I gather that there's some tension between making entry guards persistent, and the ideal of complete amnesia. Is there unavoidable tension between being incognito and amnesiac?

Andrew Lott
  • 2,744
  • 5
  • 28
  • 46
esa
  • 199
  • 1
  • 3
  • 3
    You may probably need to rephrase your question to something like "What does it mean that Tails doesn't use Tor guard protection and how does it affect user?" – mrphs Oct 22 '13 at 10:34
  • Possibly with mentioning the latest Tails version that is known to be affected by this. It might change over time. "What does it mean that Tails releases up to $version doesn't use guards...?" – bastik Oct 22 '13 at 17:28
  • Without citation and context for that statement, this question is unanswerable. – mirimir Oct 23 '13 at 06:36
  • Persistence of entry guards is similarly problematic when anonymizing Bitcoins via Tor. While persistent entry guards do strengthen Tor against deanonymization, they also (in some small way, at least) fingerprint Tor clients. – mirimir Oct 23 '13 at 21:19
  • @mirimir I can't follow that. How do entry guards know you're using Bitcoin? Traffic fingerprinting somehow? Due to the size of the blockchain? And how could they link you to a specific Bitcoin address? – adrelanos Oct 23 '13 at 23:34
  • @adrelanos I wasn't clear. The context is extending nested VPN chains, with increasingly anonymous payment from Multibit clients in Whonix. Let's say that I move a Whonix instance from the first VPN exit to the second one, which is tunneled through the first. And let's say that an adversary is logging exit traffic from both VPNs. How unique is that Whonix instance's set of entry guards? Using Multibit wallets, which don't download the blockchain, I doubt that the traffic signature is that unique. – mirimir Oct 24 '13 at 01:08
  • How unique is that Whonix instance's set of entry guards? As (non-)unique as with stock Tor, since Whonix does change nothing about the entry guards. I think you could rephrase this question replacing Whonix with TBB or system Tor. – adrelanos Nov 01 '13 at 15:33
  • I find that question interesting and took the liberty to create a new question, see http://tor.stackexchange.com/questions/698/tracking-user-location-using-entry-guards. – adrelanos Nov 01 '13 at 15:48

1 Answers1

2

It depends on the threat model.

When one assumes an passive adversary keeping logs to which entry guards one is connecting to and when one plans to use Tor from different internet access points, it might be better to have non-persistent entry guards. This question Tracking User Location using Entry Guards? wheter this may or not be the case.

When one assumes an adversary hosting its own entry guards, it is safer to use persistent entry guards. Why? See question Why is a longer guard rotation period with fewer guards better than the other way around? and Peter Palfrader's answer.

The Tails developers have plans to implement persistent entry guards, see ticket. That ticket also contains additional extra information, such as a link to a discussion about a missing feature: Location-aware persistent guards. In an ideal world, users could enter a pin/token/password to choose various sets of entry guards (discussed in this Tor track ticket).

Community
  • 1
adrelanos
  • 2,787
  • 2
  • 19
  • 35