[tor-bugs] #16538 [Tor]: Limit the impact of a malicious HSDir
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 9 20:07:05 UTC 2015
#16538: Limit the impact of a malicious HSDir
--------------------------------+------------------------------
Reporter: arma | Owner:
Type: project | Status: new
Priority: normal | Milestone: Tor: 0.2.???
Component: Tor | Version:
Keywords: SponsorR, tor-auth | Actual Points:
Parent ID: | Points:
--------------------------------+------------------------------
An adversary who can control all six hsdir points for an onion service can
censor it. You can observe lookups of it even if you control only some of
these six.
So we should raise the bar for getting the HSDir flag, to raise the cost
to an adversary who tries the Sybil the network in order to control lots
of HSDir points. We should also make it harder to target which onion
service your relay becomes the HSDir for.
There's a contradiction here: the more restrictive we are about who gets
the HSDir flag, the more valuable it becomes to get it. At the one extreme
(our current choice), we give it to basically everybody, so you have to
get a lot of them before your attack matters. At the other extreme, we
could give it to our favorite 20 relays, and if we choose wisely then
basically no adversaries will get the HSDir flag. I suspect there are no
sweet spots in between.
This ticket is the parent ticket for all the components of making bad
HSDirs less risky.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16538>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list