Thus spake The23rd Raccoon (the.raccoon23@gmail.com):
So, if you have a way to measure circuit failure reliably, you can in fact detect the tagging attack, up to a point. It will be significantly easier to detect full 3-hop path bias than 2. It would be a good idea to solve tagging for this reason.
Ok, I've filed parent ticket https://trac.torproject.org/projects/tor/ticket/5456 for dealing with all of this mess.
I can turn the bwauthcircs=1 parameter back on independent of the PID feedback and see what happens, but if we could solve this with crypto, that would be better I think.
Turns out I was wrong here. There's a bug in the bwauths that prevent us from doing this properly right now: https://trac.torproject.org/projects/tor/ticket/5457
Turtles all the way down...
Is this even possible without revising the circuit level protocol? We looked through the spec and didn't see anything that allows the network to migrate to alternate cipher choices easily..
How quickly can the migration be done?
Pretty slowly, it turns out. We're going to need a new circuit protocol and we need to decide if we want to do per-hop MACs or use self-authenticating ciphers. I created a child ticket for the proposals that will help us figure this out.
https://trac.torproject.org/projects/tor/ticket/5460 if you're interested in following them.
Otherwise, I suggest everybody start keeping track of their circuit failure rates though major nodes....
I created a child ticket for this, too: https://trac.torproject.org/projects/tor/ticket/5458
I also created https://trac.torproject.org/projects/tor/ticket/5459 for building a network scanner to detect this collusion.
It's going to be a long while before all of this stuff gets done though, I bet. We're waaay overloaded here, development wise. We can barely keep up with our Sponsor workload, let alone fix surprise monstrous issues like this one. We'd love the help!
But still, thanks for taking the time to report this (and also for providing the proofs!).