Fri Feb 15 22:58:59 UTC 2013

#8243: Getting the HSDir flag should require more effort
 When we invented the HSDir flag, our goal was to only use nodes for
 storing hidden service descriptors if they're likely enough to be around
 later. The question was solely around robustness: pick all but the nodes
 that have a good chance of going away while your hidden service descriptor
 is valid. We picked "has 25 hours of uptime" as what we hoped was an
 adequate threshold to stand in for the real question, which is "will
 likely remain online for the next hour".

 But actually, there are security implications here too: an adversary who
 can control all six hsdir points for a hidden service can censor it (or,
 less bad, observe how many anonymous people access it).

 So we should raise the bar for getting the HSDir flag, to raise the cost
 to an adversary who tries the Sybil the network in order to control lots
 of HSDir points.

 That said, there's a contradiction here: the more restrictive we are about
 who gets the HSDir flag, the more valuable it becomes to get it. At the
 one extreme (our current choice), we give it to basically everybody, so
 you have to get a lot of them before your attack matters. At the other
 extreme, we could give it to our favorite 20 relays, and if we choose
 wisely then basically no adversaries will get the HSDir flag. What are the
 sweet spots in between?

 (This ticket is inspired by rpw's upcoming Oakland paper)

