tor directory servers / tor pki issues

Roger Dingledine arma at
Mon Sep 23 21:13:21 UTC 2002

Currently the list of onion routers is very static. Users have a list in a
text file they get when they download the proxies, and they must manually
fetch a new one (eg by upgrading) when we update the list.

This is a good thing, because it should be a big deal to add a router
(an evil node can do more damage in an OR environment than in a mix
environment). But it's a bad thing, because it impacts usability. We
also need some way to let users know which routers are up *right now*.
The onion routers all know, because they're connected in a clique topology
(and we assume if you're a router and you're connected to at least one,
you're connected to as many as you can). But the proxies don't connect
to everybody (and shouldn't), so they can't know who's up right now.

Here's my plan:

A subset of the routers (those which are most static and most trusted)
will also be directory servers. Proxies connect to them and pull down
a directory: a list of active routers and their info. They use that
directory to choose nodes for onions.

Now, there are plenty of attacks possible from a bad directory server
(see Section 5 of, but for now
I will assume that there are few enough servers, and the operators know
each other well enough, that they monitor themselves out of band and
flip out if they find one misbehaving.

Thus the tarball/rpm/etc will arrive with a static set of directory
servers in a config file, but most of the actual routers don't need to
be listed. Normal routers just need to convince a directory server to
know about them. Down the road we can work on algorithms to ensure
synchronicity between directory servers (e.g. by a threshold of

*** How do clients learn about routers?

Onion proxies periodically (say, hourly) notice "whoops, my directory is
old" and go fetch a new one. Implementationwise, the directory server
serves the directory via HTTP (either with a trivial built-in server
or because there's an apache already running on the box). The client
opens up a socket to that directory port, shoves a GET down it, and
reads the directory.

Because a newly started onion proxy doesn't know the new router list,
part of its start-up process is to get a new list. This introduces an
attack where the adversary observes the directory server and also runs a
website; he correlates request-from-directory with request-from-website.
At this point my answer is "Yeah, ok. So tell the clients they get better
security if they start their onion proxy before they plan to use it."

*** What does a directory look like?

It's dirt simple for version 0.0.1. It'll look quite like in the
routers.or file for now. We can include some markup-like stuff later.
It should also include a signature of its generator, so people can pass
around authentic directories.

I'm starting the process of switching onion proxies and routers over so
they can dynamically learn about new routers. (We need to do this anyway.)
Please let me know if you think I'm nuts, or if I've overlooked something.


More information about the tor-dev mailing list