[tor-bugs] #2751 [Tor Directory Authority]: Don't give remotely exploitable relays the HSDir flag

[Tor Bug Tracker & Wiki]

#2751: Don't give remotely exploitable relays the HSDir flag
-------------------------------------+--------------------------------------
 Reporter:  rransom                  |          Owner:     
     Type:  defect                   |         Status:  new
 Priority:  normal                   |      Milestone:     
Component:  Tor Directory Authority  |        Version:     
 Keywords:                           |         Parent:     
   Points:                           |   Actualpoints:     
-------------------------------------+--------------------------------------

Comment(by arma):

 Replying to [comment:2 rransom]:
 > but until then, we only need to take away the flags (Guard and HSDir)
 that make crashing a relay particularly harmful to the Tor network (and/or
 beneficial to an attacker).

 This is another of those cases where we have a tradeoff to make: increased
 robustness (or anonymity in the case of Guard flags) against passive
 adversaries, vs decreased robustness against a particular (currently
 hypothetical) active adversary.

 If we had more time to pay attention, I would say we should keep an eye
 out for this attack, and if we see it in the wild, then drop the flags. If
 we don't see it, no point reducing diversity against all the other
 (hypothetical) attackers we can't observe.

 But if we don't have time to pay attention, should we reduce the diversity
 of the network preemptively? Sure makes me wish I had more answers to
 https://blog.torproject.org/blog/research-problem-measuring-safety-tor-
 network

 How many such relays are we talking about? As we wait, both the risk of
 keeping them and the impact of dropping them become less.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2751#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online