[tor-dev] Proposal 207: Directory guards

Nick Mathewson nickm at alum.mit.edu
Sat Oct 13 01:47:38 UTC 2012


On Fri, Oct 12, 2012 at 3:17 PM, Mike Perry <mikeperry at torproject.org> wrote:
> Thus spake Nick Mathewson (nickm at torproject.org):
>> Discussion:
>>
>>    The rule that the set of guards and the set of directory guards need to
>>    be disjoint, and the rule that multiple directory guards need to be
>>    providing descriptors, are both attempts to make it harder for a
>>    single node to capture a route.
>
> Can you explain the route capture opportunities available to directory
> guards? Is it #5343/#5956?

Like that general class, yes.  It worries me to have too few sources
of directory info; with bridges we have no choice, but with directory
guards, we can make sure that we have multiple sources.

In particular, it's a little obnoxious for the same party to be both
the first hop of your circuit, *and* to know exactly what you know
about possible candidates for hop 2 and hop 3.

> And how does the attack work? Can directory mirrors simply say "Sorry
> man, that descriptor doesn't exist", even though the client sees it
> listed in the consensus?

No, but they can say "Sorry, I don't have that descriptor."  (Same
thing actually, but not totally suspicious.  But maybe let's analyze
it and figure out how much it really happens in practice for an honest
guard.)

> Shouldn't clients just try another directory
> source in this case?

Maaybe. If all their directory guards but *one* are down, my claim is
that they should not rely on just that guard.  There are alternative
designs where you don't add directory guards unless all your guards
are down, and I don't think those are right.

> The reason I'm asking is because if we use the same Guard nodes for both
> directory and normal traffic, this adds additional traffic patterns to
> the set of things that Website Traffic Fingerprinting attacks must
> classify, which further reduces the accuracy of that attack.

Hm.  An interesting thought.

My first inclination here is to ask, "Can we analyze this to figure
out the benefit/risk of each approach and somehow make a
mathy/quantitative argument about which is better?"  I don't know that
we'll come up with a final answer, but I think we could do well to try
to figure out how large/small benefits are likely to be.

-- 
Nick


More information about the tor-dev mailing list