> .. Tor .. believing its three hops is the minimum required number of hops to achieve the goal of anonymity.
It's more nuanced than that. Tor's design states the following:
"A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary."
There are tons of ways to de-anonymize users, Tor and VPN users alike. Same goes for mixnets. Whether or not an attacker can acquire a user's real-world identity depends on a lot of parameters. The number of network proxy hops is just one parameter.
Having said that, everything else equal, more hops is better than fewer. Then again, if all the user does is log into Facebook with their real-world identity, the number of hops doesn't matter at all. Or it does, because their adversary isn't Facebook, but their local ISP! It depends on what the user wants to protect against. There is a reason the Tor Project went on to build the Tor Browser. They realized that the sort of anonymity that users were looking for wasn't to be had with only the Tor network. They needed to complement the tor client with privacy protections on the application layer.
Regarding network proxy hops there's also this perspective: strong anonymity, low bandwidth overhead, low latency - choose two. This anonymity trilemma teaches us yet again that security and performance / UX is often at odds. If you want security you have to be prepared for inconvenience.
after having some direct awareness of how traffic shows up in netflow and the nature of global routing, i am not convinced that it requires a global visibility per se, but certainly is dependent on where traffic lands in a global sense. itβs a small world on the big ol internet.
And yet, Tor--even in its browser form--uses three hops, despite not having global passive adversaries in its attacker model. I guess I thereby don't understand your thesis, which seems--to me--a bit muddled... you are saying Tor does not solve all problems (it would have to be the opposite to make sense... Tor hops would need to protect concrete models that Obscura doesn't solve, providing an excuse for the fewer hops) and you are saying users give up anonymity in other ways anyway (which is both a non-sequitur and also a bit wrong, as I will assert someone can be happy giving their real name and driver's license to Facebook but not be happy divulging their current IP address, as the many varied forms of private personal identification are not inherently fungible; and like, Tor being a browser doesn't even solve this: that solves yet a different problem that is out of scope for the hops)...
...but the only reason you cite for why 2 and not 3 is that 3 is slower than 2. You know what's even slower than 3? 4! ;P But AFAIO Tor doesn't, in fact, think "more hops is better than fewer": they believe there is a single correct number of hops, and that if you add even more hops you actually can cause new problems with their structure? Regardless, I think we all agree that 1 is slower than 2, and yet 1 definitely isn't enough ;P.
So, for a given attacker model, I contend that there seems to be a lower bound on the number of required hops... and therefore either there is a specific attacker Tor solves that this doesn't, or they are wrong on the number of hops required to protect against their attacker model. I am willing to buy either, but do feel this needs to be explained by projects that go with 2, as the Tor people seem very sane to me ;P.
(Regardless, I am very curious about the structure of the "partnership" with your company... would you be open to partnerships with other companies? Is there anything special you added on your side to make this partnership work that maybe could be generalized and taken advantage of by other projects? I am not convinced at all by Obscura, but I do like Mullvad, and have been wanting to work with you all for quite a while now ;P.)
It's more nuanced than that. Tor's design states the following:
"A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary."
https://svn-archive.torproject.org/svn/projects/design-paper...
There are tons of ways to de-anonymize users, Tor and VPN users alike. Same goes for mixnets. Whether or not an attacker can acquire a user's real-world identity depends on a lot of parameters. The number of network proxy hops is just one parameter.
Having said that, everything else equal, more hops is better than fewer. Then again, if all the user does is log into Facebook with their real-world identity, the number of hops doesn't matter at all. Or it does, because their adversary isn't Facebook, but their local ISP! It depends on what the user wants to protect against. There is a reason the Tor Project went on to build the Tor Browser. They realized that the sort of anonymity that users were looking for wasn't to be had with only the Tor network. They needed to complement the tor client with privacy protections on the application layer.
Regarding network proxy hops there's also this perspective: strong anonymity, low bandwidth overhead, low latency - choose two. This anonymity trilemma teaches us yet again that security and performance / UX is often at odds. If you want security you have to be prepared for inconvenience.