[tor-dev] [RFC] On new guard algorithms and data structures

George Kadianakis desnacked at riseup.net
Fri Aug 21 10:08:48 UTC 2015

isis <isis at torproject.org> writes:

> George Kadianakis transcribed 5.2K bytes:
>> - This new design focuses on protecting against path bias attacks, by slightly
>>   damaging our reachability.
>>   Specifically, the old design is better at recovering in filtered networks,
>>   because it will keep on adding new nodes till one succeeds. In this new
>>   design, we will not try more than 80 relays per time. So if none of them
>>   passes the filtered network, bad luck no Tor.
>>   While this failure mode should not happen much, it's bad news for users behind
>>   FascistFirewalls which are actually quite frequent. A quick fix here would be
>>   to always add an 80/443 guard on our list, however as it stands only 30% of
>>   the guards are 80/443 guards, so this has bad anonymity consequences.
> What if we were to try to use meek as a sort of "are we actually on/offline"
> check?  Or, sometime in the future (say six months or so), when BridgeDB is
> using meek's domain fronting ideas, [0] we could use the BridgeDB domain front
> to check if we're actually online (and also, potentially, request a bridge for
> good measure, in case the network is just filtered).

Isn't that a bit like using cloudflare as our "online/offline" oracle? For this
reason, I have mixed feelings about this idea.

A related (but terrible) idea would be to have a StatusAuthority, which clients
can connect to when they want to learn if they are online or offline. Still
terribly centralized though, and it also has security implications. 

(FWIW, I generally really like the meek/BridgeDB integration idea.)

>> - Notice that the pseudocode contains no logic about bridges. I'm not sure how
>>   bridges should be handled here.
> My 2¢: I think the bridge code should be kept separate to the entry guard code.
> While it's understandable that we've lumped them together in the past because,
> functionally, clients would use one or the other, bridges are quite different.
> Even more so now that bridges will soon be using entry guards. [1]  (Also, it
> makes reviewing the bridge code kind of a pain when it's haphazardly crammed
> into like ten other modules.)
> What if we did something like:
>   int get_entry_guard(circuit_t) {
>     if (get_options()->UseBridges) {
>       go_do_the_bridgey_thing_in_the_bridge_module()
>       return 0;
>     }
>     if (guard_list.n_guards_attempted_lately > GUARDS_ATTEMPTED_THRESHOLD) {
>       […]
> Or check from wherever get_entry_guards() is being called… but perhaps the
> latter would be more error prone if a programmer forgets to check that they
> should be using bridges instead (also, code duplication).


I wonder what go_do_the_bridgey_thing_in_the_bridge_module() should be doing.

More information about the tor-dev mailing list