[tor-dev] Hidden Service Scaling

Christopher Baines cbaines8 at gmail.com
Fri May 9 13:31:24 UTC 2014

On 09/05/14 10:14, Michael Rogers wrote:
> On 08/05/14 14:40, Christopher Baines wrote:
>>> Perhaps it would make sense to pick one or more IPs per guard,
>>> and change those IPs when the guard is changed? Then waldo's
>>> attack by a malicious IP would only ever discover one guard.
>> If you change the IP's when the guard is changed, this could break
>> the consistency between different instances of the same service
>> (assuming that the different instances are using different
>> guards).
> It should be possible to avoid breaking consistency by having an
> overlap period: when a guard is scheduled to be replaced, each
> instance connects to a new guard and IPs, the new descriptor is
> published, then each instance disconnects from the old guard and IPs.
> This should work whether or not the instances use the same guards. If
> the instances use the same guards, waldo's attack can discover one
> guard shared by all instances; otherwise it can discover one guard per
> instance. I'm not sure which is worse for anonymity - any thoughts?

How do you see the guards being "scheduled" for replacement?

Another issue is how do you get each instance to connect through the
same guard node?

I think that it would be fine having per instance guard nodes (1 or
more). I don't see much significance in it being shared, it also seems
quite problematic to accomplish.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140509/a1f8b427/attachment.sig>

More information about the tor-dev mailing list