[tor-relays] Hello guys. Is is possible to choose one's Entry Guards?

Konstantinos Asimakis inshame at gmail.com
Wed Jan 9 10:41:22 UTC 2013

First of all, AFAIK, bridge relays act as entry guards, meaning they
*replace* the first step of your tor circuits, they don't extend them to 4
nodes. With that in mind you might be able to do this:

your client -> bridge (obfuscated or not) -> tor node B -> tor node C ->
whatever (clearnet / introduction points for your service)

If you host a hidden service, a compromised bridge on the above circuit
will make you vulnerable to timing attacks whether you hand-pick trusted
nodes for B&C or not.

Also in general when you talk about guard node, you mean a node that you
connect directly too for your first hop on a circuit. It doesn't make sense
to talk about guard nodes in the middle of the circuit, you don't really
care if those are compromised or not since they don't see you IP.

So another idea would be to use Tor through Tor which unfortunately doesn't
increase your anonymity much since timing attacks will still work the same
way (maybe they will take a little longer to pull off though but your
hidden service will be harder to reach too).

That being said you can choose your entry guards with the EntryGuards torrc
command and the StrictNodes commands which you can find in the Tor

If you are super paranoid you could add more latency to the connection
between you and the hidden service server. For example you could rent a
server anonymously in another country to host your hidden service, and only
access that server using Tor from a random public WiFi and only for short
durations (like just reuploading changed html code) using actually trusted
entry nodes. This way even if they manage to find where the hidden service
is located they will have to also start a separate attack to find where are
you connecting to this server from. And if they find where you do connect
from (which will take considerable time probably) you might have even
switched to another public WiFi by that time. Also who are "they" in this
case? Cause we are talking about an investigation that spans a ton of
countries just to find you. I honestly believe this is overkill. If you
need that much security then maybe Tor isn't for you.


My blog: http://www.inshame.com

My full signature with lots of links etc: http://bit.ly/trtsig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130109/1e8180b4/attachment.html>

More information about the tor-relays mailing list