[Udo]

Is this problem even solvable on a fundamental level?

Of course, they can work on preventing nodes forwarding hidden header information, but an entity with global network insight will always be able to correlate users by the timing of their transmissions alone.

The introduction of malicious nodes is a workable option for lesser players. But hidden in the realtime nature of the Tor network is always the possibility of deanonymizing users if you're a powerful agency that can afford to inspect a sufficiently large part of all network traffic - they don't even have to run any nodes themselves.

[brian_cloutier]

Yes, you just have to think about networking a little differently. The problem is that we share documents over connections. Immutable documents don't really need to get to you immediately, especially now that we have webapps with UIs which update instantly and which can perform non-trivial computation.

Onion routing with something like Mixminion[1] works much like Tor, but instead of establishing connections it passes messages between routers. Messages are arbitrarily delayed, preventing even traffic analysis from finding you.

However, using an anonymous remailer like Mixminion would require completely rethinking browsers and our protocols for web browsing. They simply aren't designed for a world where packets might take minutes to get to you.

[1] http://en.wikipedia.org/wiki/Mixminion

[Udo]

You're the second commenter to say that the answer to me having doubts if we can even in principle have an anonymous instant-tranfer network is: "yes, you just have to drop the instant part" ;)

[regd006]

> but an entity with global network insight will always be able to correlate users by the timing of their transmissions alone.

For what it's worth, this type of adversary is explicitly excluded in Tor's threat model[0].

[0] https://svn.torproject.org/svn/projects/design-paper/tor-des...

[x1798DE]

>Is this problem even solvable on a fundamental level?

I think it is, though it may never be practical. In theory, you could have every node everywhere constantly streaming encrypted noise to every other node, and when you actually want to communicate something, you just switch out the noise for something you actually care about. You'd never know who is actually talking and who is just sending noise.

As you can imagine, that would take a lot of bandwidth and probably a lot of computing power, but it would have very high latency.

EDIT: To clarify, I mean nodes on the network, not relay nodes. Potentially you could use a relay system, but that wouldn't be necessary if everything on the network was constantly in connection with everything else on the network.

[sp332]

Maybe something based on the Dining Cryptographers? https://en.wikipedia.org/wiki/Dining_cryptographers_problem Someone actually implemented it, but it didn't seem very practical. https://www.youtube.com/watch?v=4BQQcoROQoI

[peterwwillis]

Sure it is; it's just impractical. If you force the entire network to play by certain timing rules and mangle the traffic in a uniform way it'd be very difficult to analyze the network to discover unique patterns. But this might also make the network impractical to use for anything but Twitter and e-mail.

[Udo]

Which was my point when I referred to the realtime constraint...