[tor-dev] Proposal 236, Single-guard designs, and directory guards

Fri Jun 6 15:07:02 UTC 2014

Nicholas Hopper <hopper at cs.umn.edu> writes:

> On Mon, May 5, 2014 at 12:07 PM, Nick Mathewson <nickm at torproject.org> wrote:
>> I noticed that proposal 236 doesn't mention directory guards. (See
>> proposal 207, implemented in Tor 0.2.4.)  I think that we should
>> consider retaining multiple directory guards while going to a single
>> guard for multi-hop circuits.
> ...
>> I also think that most of the arguments for single-guard apply to
>> circuit guards more than to directory guards.  But there could be some
>> left, and we should figure those out.
>
> I think I mostly agree that having multiple directory guards should
> not be as significant a threat as multiple circuit guards.  But:
> - Having directory guard(s) besides the circuit guard *will* increase
> vulnerability to guard fingerprinting, as in #10969 and
> https://lists.torproject.org/pipermail/tor-dev/2013-September/005424.html
>
> - My directory guard knows when I'm using Tor, and so will be in a
> position to conduct long-term intersection attacks against sites with
> public logs or timestamps  (e.g:  IP w.x.y.z is always online when
> "SecretHandle" tweets). Having more guards increases vulnerability to
> this kind of attack.  Would it make sense to relay directory requests
> through circuit guards to avoid this?

FWIW, I've been using Tor with NumEntryGuards set to 1 for the past
few days. The results are good: Tor sticks with its primary guard (the
first guard in the entry guard list). However because my primary guard
is not a DirCache, it has to use a separate relay as a directory
mirror.

So, every few hours, Tor connects to a different relay (my dirguard:
the second node in my guard list) to fetch descriptors etc. This is
not a very big concern, but it's annoying for the reasons you
mentioned above.

That made me curious to learn how many guard nodes are not directory
servers. Apparently, out of all 5393 routers, we have 2149 guards, and
1458 guards that are directory servers. So there are about 700 guards
that are _not_ directory servers (I wonder what their bandwidth weight
is).

Apparently, this happens because the DirPort torrc option is required
to be a directory server, and some relay operators just don't have it.
Maybe we should consider again making all relays (or guards) to be
directory servers. AFAIK, this idea was discarded in the past because
it's not polite to open more ports (DirPort) on people's computers;
but nowadays with BEGIN_DIR, we don't even need that extra port, right?
Or maybe the reason is that directory documents take hard disk space?
But how much space do they take? Probably not that much.

At the very least, maybe we should add a log message saying "You are a
guard but not a directory server. You can increase the security of
your clients by enabling the DirPort option.".