[tor-dev] Defending against guard discovery attacks by pinning middle nodes

George Kadianakis desnacked at riseup.net
Fri Jul 11 10:44:36 UTC 2014

Hey Nick,

this mail is about the schemes we were discussing during the dev
meeting on how to protect HSes against guard discovery attacks (#9001).

I think we have some ideas on how to offer better protection against
such attacks, mainly by keeping our middle nodes more static than we
do currently.

For example, we could keep our middle nodes for 3-4 days instead of
choosing new ones for every circuit. As Roger has suggested, maybe we
don't even need to write the static middle nodes on the state file,
just use new ones if Tor has restarted.

Keeping middle nodes around for longer will make those attacks much
slower (it restricts them to one attack attempt every 3-4 days), but
are there any serious negative implications?

For example, if you were unlucky and you picked an evil middle node,
and you keep it for 3-4 days, that middle node will always see your
traffic coming through your guard (assuming a single guard per
client). If we assume you use a non-popular guard node (with only a
few clients using it), the middle guard might be able to think "Ah,
the circuit that comes from that guard node is always user X" making
your circuits a bit linkable from the PoV of your middle node.

What other attacks should we be wary about? Maybe partitioning attacks
based on client behavior?

And how should we move this forward if we decide it's worth it? Should
we start writing a Tor proposal?


More information about the tor-dev mailing list