trinity pointard <trinity.pointard@gmail.com> wrote ..

. It's not as easy as having a unique ID, you need to make sure a relay can't spoof being part of a family, that's why it requires a two way relationship for now, and will probably use some form of signature in the future.

Why not take advantage of the proof entry of ContactInfo? ( https://nusenu.github.io/ContactInfo-Information-Sharing-Specification/#proo... ) All you need to do is to add a file like https://example.com/.well-known/tor-relay/family-rsa-fingerprint.txt (uri-rsa) or DNS TXT record family-fingerprint.example.com (dns-rsa) which would contain one of the relay fingerprints of the family (the same one for all relays). The name is thus unique and you can easily check if the family name and corresponding relay fingerprint are linked to the same relay operator. The only drawback is if the chosen relay for the family name is removed from the network then a new one will have to be chosen and all the MyFamily values changed on every relay. Most likely a very rare event. Heck, a file https://example.com/.well-known/tor-relay/rsa-fingerprint.txt has already the same content as MyFamily. (Which I am guessing is one way "Alleged Family Members" are identified on Tor metrics.) _________________

For an easy example, let's imagine that we let any relay put itself into any family. Now suppose the attacker starts three relays A1, A2, and A3. Then, since nothing stops them, they put A1 into a family with every relay on the network, except for A2 and A3. Now, any time a user (randomly) selects A1, they will find that the only other relays they can use on that circuit are A2 and A3; this will build a completely attacker-controlled path, they will get no privacy.

How can you find a family with every relay on the network? According to the proposal, the largest family has 270 members and, according to Tor metrics, they are about 2000 exit relays. Even assuming an attacker controls A1 and A2, both falsely belonging to two different families with 250 members each (assuming all exit relays), the attacker would just increase his chances of having his A3 exit relay to be selected from 1/2000 to 1/1500. Not nothing, but not a large advantage either. The problem you are describing is actually one that is possible RIGHT NOW with MyFamily. An attacker CAN list all relay fingerprints he can find in its MyFamily except his relays. If he could only list ONE family name, he could only spoof it with the most popular family name used (assuming family name uniqueness is not enforced and more than one relay operator use the same name). But it is impossible that all [good] relay operators use the same family name, even if they would be allowed to select one as simple as "Smith". MyFamily with a single name seems both a very tiny spoofing problem AND an improvement over the current configuration.