[tor-dev] Proposal 236, Single-guard designs, and directory guards
Nicholas Hopper
hopper at cs.umn.edu
Tue May 6 17:39:44 UTC 2014
On Mon, May 5, 2014 at 12:07 PM, Nick Mathewson <nickm at torproject.org> wrote:
> I noticed that proposal 236 doesn't mention directory guards. (See
> proposal 207, implemented in Tor 0.2.4.) I think that we should
> consider retaining multiple directory guards while going to a single
> guard for multi-hop circuits.
...
> I also think that most of the arguments for single-guard apply to
> circuit guards more than to directory guards. But there could be some
> left, and we should figure those out.
I think I mostly agree that having multiple directory guards should
not be as significant a threat as multiple circuit guards. But:
- Having directory guard(s) besides the circuit guard *will* increase
vulnerability to guard fingerprinting, as in #10969 and
https://lists.torproject.org/pipermail/tor-dev/2013-September/005424.html
- My directory guard knows when I'm using Tor, and so will be in a
position to conduct long-term intersection attacks against sites with
public logs or timestamps (e.g: IP w.x.y.z is always online when
"SecretHandle" tweets). Having more guards increases vulnerability to
this kind of attack. Would it make sense to relay directory requests
through circuit guards to avoid this?
--
------------------------------------------------------------------------
Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project
------------------------------------------------------------------------
More information about the tor-dev
mailing list