[tor-dev] Proposal 236, Single-guard designs, and directory guards

Nicholas Hopper hopper at cs.umn.edu
Tue May 6 17:39:44 UTC 2014


On Mon, May 5, 2014 at 12:07 PM, Nick Mathewson <nickm at torproject.org> wrote:
> I noticed that proposal 236 doesn't mention directory guards. (See
> proposal 207, implemented in Tor 0.2.4.)  I think that we should
> consider retaining multiple directory guards while going to a single
> guard for multi-hop circuits.
...
> I also think that most of the arguments for single-guard apply to
> circuit guards more than to directory guards.  But there could be some
> left, and we should figure those out.

I think I mostly agree that having multiple directory guards should
not be as significant a threat as multiple circuit guards.  But:
- Having directory guard(s) besides the circuit guard *will* increase
vulnerability to guard fingerprinting, as in #10969 and
https://lists.torproject.org/pipermail/tor-dev/2013-September/005424.html

- My directory guard knows when I'm using Tor, and so will be in a
position to conduct long-term intersection attacks against sites with
public logs or timestamps  (e.g:  IP w.x.y.z is always online when
"SecretHandle" tweets). Having more guards increases vulnerability to
this kind of attack.  Would it make sense to relay directory requests
through circuit guards to avoid this?



-- 
------------------------------------------------------------------------
Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project
------------------------------------------------------------------------


More information about the tor-dev mailing list