[tor-dev] Proposal 236, Single-guard designs, and directory guards

Nicholas Hopper hopper at cs.umn.edu
Tue May 6 17:39:44 UTC 2014

On Mon, May 5, 2014 at 12:07 PM, Nick Mathewson <nickm at torproject.org> wrote:
> I noticed that proposal 236 doesn't mention directory guards. (See
> proposal 207, implemented in Tor 0.2.4.)  I think that we should
> consider retaining multiple directory guards while going to a single
> guard for multi-hop circuits.
> I also think that most of the arguments for single-guard apply to
> circuit guards more than to directory guards.  But there could be some
> left, and we should figure those out.

I think I mostly agree that having multiple directory guards should
not be as significant a threat as multiple circuit guards.  But:
- Having directory guard(s) besides the circuit guard *will* increase
vulnerability to guard fingerprinting, as in #10969 and

- My directory guard knows when I'm using Tor, and so will be in a
position to conduct long-term intersection attacks against sites with
public logs or timestamps  (e.g:  IP w.x.y.z is always online when
"SecretHandle" tweets). Having more guards increases vulnerability to
this kind of attack.  Would it make sense to relay directory requests
through circuit guards to avoid this?

Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project

More information about the tor-dev mailing list