On Mon, May 15, 2023 at 5:21 AM Matt Palmer mpalmer@hezmatt.org wrote:
On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham@a-n-o-n-y-m-e.net wrote:
This has probably been addressed before but why isn't the MyFamily value just a single, unique ID?
If I have the relays with the fingerprints "John", "Jane", and "Alice" and I want to add "Bob", wouldn't it be simpler (and more logical) to add the unique MyFamily "Smith" to each torrc file than listing all fingerprints?
I believe the reason for the current setup is to prevent randos from adding themselves to your family of relays, and then causing problems.
That's correct: if an attacker can add their relay to a family without the rest of the family's consent, they can use that to influence routing and do some kinds of path-selection attacks.
For an easy example, let's imagine that we let any relay put itself into any family. Now suppose the attacker starts three relays A1, A2, and A3. Then, since nothing stops them, they put A1 into a family with every relay on the network, except for A2 and A3. Now, any time a user (randomly) selects A1, they will find that the only other relays they can use on that circuit are A2 and A3; this will build a completely attacker-controlled path, they will get no privacy.
That said, there's an open proposal to try to make it so relays can use a cryptographic identifier instead of a unique ID or a list: https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/321-hap... I'd be curious to know whether relay operators think this proposal would be usable for them; when I first circulated it, I didn't get a lot of feedback.
(Oh, I see that Trinity has mentioned this too. Hi, Trinity!)
cheers,