MUTE Privacy FAQ

From Planet Peer Wiki

Contents 1 MUTE Privacy Attack FAQ 2 MUTE isn't totally anonymous and perfect, what gives? 3 How are search senders protected? 4 What about a Gwebcache "attack" making all IPs point to a "hostile" node? 5 What about timing attacks?

MUTE Privacy Attack FAQ

(Feel free to ask a question on the *Mailing List* and then post the answer here for future reference, please follow the format already created here)

MUTE isn't totally anonymous and perfect, what gives?

Yes, MUTE isn't completely anonymous, there will always be possible attacks.

The home page talks about how "MUTE protects your privacy", but not about how "MUTE guarantees your privacy".

MUTE Website and this MUTEAttackFaq describe several attacks and how MUTE makes these attacks difficult.

How are search senders protected?

Senders are protected because each node doesnt know if the file-request-packet it just received comes from a person that actually wants to start a download or if it was just forwarded for somebody else.

What about a Gwebcache "attack" making all IPs point to a "hostile" node?

GWebCaches (script running the MUTE host caches) only allow 1 update from a given IP address every hour, so they already prevent a single IP address from flooding the cache. The harder problem is the prevention of flooding by many IP addresses that are all owned by the same attacker.

What about timing attacks?

levine-timing.pdf

The kind of timing analysis that they are talking about doesn't apply to MUTE. Look at the very top of page 4. They assume that the first node on a proxy path knows that it is the first node on the path (i.e., knows that it is talking directly to the sender). This is not true in MUTE, since any node could be a relay, and no intermediary node can be certain that it is talking directly to the message sender.

Their attack goes like this:

S -> A -> B -> C -> D -> R

S = sender R = receiver

Attacker controls A and D, and is trying to prove that S is sending to R. By timing S's packets and correlating the timings with the packets being sent to R, they can guess that S is actually talking to R.

In MUTE, node A would not know that it was talking to S, and node D would not know that it was talking to R. An attacker in MUTE would be trying to figure out which node is S in the first place... forget about even trying to figure out who S is talking to.

To figure out who S is, A can use timing attacks of a different kind... if response messages from S come back very quickly, A can *guess* that S is its direct neighbor. Notice the word "*guess*", you still may be one or more hops away through very fast nodes.