Hi,
I've gone a few emails back up the thread, because the risk analysis is missing some really important factors.
And just some reminders:
Some users depend on the tor network for their safety.
Relay operators take some risks, but we do our best to reduce those risks.
MyFamily is about user and operator safety. We pay more attention to arguments based on safety.
On 22 Feb 2020, at 23:02, Michael Gerstacker michael.gerstacker@googlemail.com wrote:
So for what reason do i set the MyFamily option beside making a Hidden Service Guard discovery attack more easy?
- risk reduction for tor users
MyFamily declarations allow the tor client software to automatically detect relay families when creating circuits to avoid using multiple relays from the same operator in a single circuit.
This should not matter if the operator is not malicious and like i already said an malicious operator will not use the same contact info or relay name.
- reducing the risk for tor users that might become victims if some operator gets compromized (with all its relays)
This is a reason i can understand. Not sure how much that would really help in practice but i can understand it.
In practice, relay operators become targets for compromise when they don't set MyFamily. Because those relays can be used to attack a Tor users.
If relay operators correctly set MyFamily, then an attacker needs to compromise multiple operators to see a single user's traffic.
In this case, it doesn't matter if the operator is malicious.
- transparency
Every relay operator should declare their relay group to allow everybody to measure their network fraction (Sybil detection).
Should... But i understand this one too. But as long as my family is still a small one with only one exit compared to others i am not a Sybil attack risk and even if i would would i get any special treatment then?
It doesn't matter how small your relays are. Some clients will choose your relays as guards. You're putting those users in danger.
- risk reduction for relay operators
MyFamily also provides risk reduction for operators since they are less valuable as an attack target if they can not technically be used for e2e correlation attacks
I think this is similar to your first point but i think that should be the operators choice if he want to take steps against this case.
There's also a network effect here. If almost all operators set MyFamily, then the Tor Network becomes a less valuable target for attacks. So attackers use other methods, like attacking Tor Browser, or offline attacks.
But if a lot of operators don't set MyFamily, then attackers develop tools and techniques to attack the network. Then they can repeat these attacks easily whenever they get a new target. I guess you could call that a market effect.
So if you're not going to set MyFamily for yourself, do it for Tor users, and do it for Luther relay operators.
We prioritise the safety of users and relay operators here.
T