On Mon, May 15, 2023 at 10:18:29AM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
trinity pointard trinity.pointard@gmail.com wrote ..
For an easy example, let's imagine that we let any relay put itself into any family. Now suppose the attacker starts three relays A1, A2, and A3. Then, since nothing stops them, they put A1 into a family with every relay on the network, except for A2 and A3. Now, any time a user (randomly) selects A1, they will find that the only other relays they can use on that circuit are A2 and A3; this will build a completely attacker-controlled path, they will get no privacy.
How can you find a family with every relay on the network? According to the proposal, the largest family has 270 members and, according to Tor metrics, they are about 2000 exit relays. Even assuming an attacker controls A1 and A2, both falsely belonging to two different families with 250 members each (assuming all exit relays), the attacker would just increase his chances of having his A3 exit relay to be selected from 1/2000 to 1/1500. Not nothing, but not a large advantage either.
I presumed the attacker would create a new family, and declare all other relays members of that family.
The problem you are describing is actually one that is possible RIGHT NOW with MyFamily. An attacker CAN list all relay fingerprints he can find in its MyFamily except his relays.
Except that the family won't be recognised as containing all those other relays because the other relays don't include the attacker's relay A1 in their MyFamily declaration.
- Matt