[markasoftware]

It depends on your threat model. Tor is focused on hiding from small-scale passive adversaries (eg, you're in Iran and don't want the Iranian government to see what you're doing. Or your ISP. Or any single node operator). Even the original Tor paper makes it clear that Tor isn't secure against a "global passive adversary" that can observe a large portion of global internet traffic, like the five eyes likely can today.

If you want to avoid global passive adversaries, a mixnet like Nym can work. I'm also working on a related project which takes a different approach of building your own circuit of proxy servers manually with lots of traffic padding: https://github.com/markasoftware/i405-tunnel

[niceguy4]

I don't believe these solutions protect against flow correlation observations. If a global adversary is monitoring the entry and exit points, they can identify the user without needing to decrypt the traffic. There are research papers that demonstrate attacks on both these models.

Onion endpoint sites use encrypted traffic and the padding strategy, too and are still susceptible to the correlation attack.

There's a security blog that publishes research papers on different attack models. It's a total PITA to find but I'll see if I can locate it.

edit: JFC... finally found it: https://www.freehaven.net/anonbib/

Correlation attack concept: https://www.ndss-symposium.org/wp-content/uploads/2024-337-p...

Attack against Mixnet and Nym: https://petsymposium.org/popets/2024/popets-2024-0050.pdf

[markasoftware]

There's some subtlety here so my apologies for the long reply.

Nym/Loopix (and I405, though it's so experimental I feel bad even talking about it) completely defeat end-to-end correlation attacks, where an attacker tries to find statistical similarities between the encrypted traffic on the first hop (from the user's home network to some proxy), and the final hop (from some proxy to the final destination clearnet site).

Tor is trivially vulnerable to end-to-end correlation attacks. In addition to the paper you posted, my favorite is http://petworkshop.org/2007/papers/PET2007_preproc_Sampled_t... , which describes how an adversary monitoring just a small fraction (<0.1%) of traffic at key internet exchanges could deanonymize many Tor users.

Nym/Loopix and I405 defeat end-to-end correlation attacks with the same basic idea: Send fixed-rate traffic on the first hop, regardless of whether the user is actually trying to send any tunneled traffic. Both sample from a statistical distribution to decide when to send the next packet, and they send an empty packet if there is no actual data to send. In this way, the traffic being sent on the first hop does not depend at all on the inner cleartext data the user is sending/receiving.

The Mixmatch paper, which AFAIK is the only published attack against Nym/Loopix, is NOT an end-to-end correlation attack. It relies on the attacker controlling one or more Nym "gateways" (equivalent of guard nodes in Tor) and therefore being able to decrypt traffic from users whose first hop goes through that gateway. Further, I believe that the attack described in this paper becomes increasingly difficult as the number of users increases, and the authors of the paper include Nym developers who are actively making changes to make this attack harder. It's not a fundamental weakness in Nym/Loopix, the way that E2E correlations are for Tor.

[matthewdgreen]

Nym is cool, but it has many of the same vulnerabilities as Tor. You can set higher per-node delays in principle, which means your packets will also take longer to get there. But this makes it hard to use most network protocols.

[dostick]

Isn’t i2p supposed to replace Tor?

[markasoftware]

nope they were both started within a year of each other. Lots of Tor fans will tell you that I2P is overly complicated. And indeed it seems to have had more vulnerabilities over the years.

[zwnow]

I just use it to get books for free so idk about all the state regulation stuff.