I've been researching this related topics for a while and I have a concern regarding the onion path construction. Kind of related to #56, but from a different angle.
Background
If I understand it correctly, Tor's onion proxy uses directories to fetch random slice of onion routers for building its circuits. This is their way to avoid connecting to nodes directly, but those directory nodes are considered trusted. In Tox there are no such nodes by design (bootstrap nodes are trusted to some degree though, but they are a bit different) and everything is connected directly, which can be used to figure out who have constructed onion path (if my understanding of current Tox's behavior is correct).
The issue
Currently when constructing onion path through 3 nodes, the middle node can scan previous and next node for known peers, take own known peers and the intersection of these 3 sets will very likely contain the node that have constructed onion path.
Potential hardening
I think it could be a good idea to have a dedicated method in DHT for fetching information about all the known nodes (not just search for some of them, but literally all known nodes). Then, by collecting a lot of nodes in this way, filter out those which we've connected to recently and only after that select potential candidates for onion path.
When we select second and third node that we've never connected before (or at least recently), it would mean that middle node will have to collect information about known peers of known peers, namely one step deeper. Assuming that the first node in onion path (that we should be connected directly) has enough known nodes (can be made a requirement for such a node), this makes an intersection of potential candidates bigger. How much bigger and whether that is statistically enough is an open question.
I've been researching this related topics for a while and I have a concern regarding the onion path construction. Kind of related to #56, but from a different angle.
Background
If I understand it correctly, Tor's onion proxy uses directories to fetch random slice of onion routers for building its circuits. This is their way to avoid connecting to nodes directly, but those directory nodes are considered trusted. In Tox there are no such nodes by design (bootstrap nodes are trusted to some degree though, but they are a bit different) and everything is connected directly, which can be used to figure out who have constructed onion path (if my understanding of current Tox's behavior is correct).
The issue
Currently when constructing onion path through 3 nodes, the middle node can scan previous and next node for known peers, take own known peers and the intersection of these 3 sets will very likely contain the node that have constructed onion path.
Potential hardening
I think it could be a good idea to have a dedicated method in DHT for fetching information about all the known nodes (not just search for some of them, but literally all known nodes). Then, by collecting a lot of nodes in this way, filter out those which we've connected to recently and only after that select potential candidates for onion path.
When we select second and third node that we've never connected before (or at least recently), it would mean that middle node will have to collect information about known peers of known peers, namely one step deeper. Assuming that the first node in onion path (that we should be connected directly) has enough known nodes (can be made a requirement for such a node), this makes an intersection of potential candidates bigger. How much bigger and whether that is statistically enough is an open question.