Privacy, including the right to privacy of correspondence, is a human right. Privacy-enhancing technologies, such as the Tor anonymity network, help maintain this right. The increasing use of Tor from mobile devices raises new challenges for the continued effectiveness of this low-latency anonymity network. Mobile Tor users may access the Internet from a range of wireless networks and service providers. Whenever a wireless network hands-off a mobile device’s connection from one access point to another, its external Internet Protocol (IP) address changes, and the connection to the Tor network is dropped. Every dropped connection requires the Tor circuit to be rebuilt. The time required to rebuild the circuit negatively impacts client performance. This research is the first to highlight this negative impact and to investigate the likely extent of the impact for typical usage scenarios and mobility models. The increased network churn caused by circuit rebuilding also negatively impacts anonymity. A novel metric (q-factor) is proposed here to measure the trade-off between anonymity and performance over the duration of a communication session. Two new solutions to the problems of managing mobility in a low-latency anonymity network are proposed in this thesis. The first solution relies on adaptive client throttling, based on a Kaplan-Meier estimator of the likelihood of a mobile network hand-off. The second solution relies on the use of a static bridge relay (mBridge) that acts as a persistent ‘home’ for a mobile Tor connection, so avoiding the need to recreate the Tor circuit whenever the mobile device is handed-off. The effectiveness of these solutions has been measured using the new q-factor metric. Both solutions provide better performance for mobile Tor clients than the standard Tor client implementation, although some performance reduction by comparison with static Tor clients remains. The bridge relay solution (mBridge) has been shown to offer better performance than client throttling, but is more vulnerable to certain types of attack. A strength of both solutions is that changes are restricted to client devices, the existing algorithms and protocols of the interior Tor network are unaffected.
|Publication status||Accepted/In press - Oct 2016|