[tor-relays] Giving away some "pre-warmed" relay keys for adoption

Sun Jul 26 08:41:13 UTC 2015

On Sun, 26 Jul 2015 07:13:44 +0500
Roman Mamedov <rm at romanrm.net> wrote:
> Either way you won't do much damage even if any of this ends up being
> false, as the consensus weight and the stable status will drop more
> rapidly than they are gathered if your node can't maintain them.

Giving away the identity keys for high capacity relays that actual
users are using as Guards seems irresponsible at best, and downright
malicious assuming a realistic threat model for the Tor Network as a
whole.

> >    Yes, in an ideal world the bwauths will scan new relays faster.
> 
> Meanwhile in reality the outcome is often [1].

Orthogonal problem, and it's being worked on under an OTF Fellowship.

> > A fun task for someone who likes messing with consensus documents
> > and descriptors would be to write a script to measure IP address
> > churn for relays while the relay identity remains constant (either
> > legitimately eg: being on a dynamic IP, person had to move the rack
> > the relay was on, or through key compromise/derp).
> 
> I do this extensively on my relays, as one VPS or dedicated server
> expires, gets terminated or canceled for various reasons, a different
> one takes its place, inheriting the same identity. If I had to always
> wait for new relays to spin up from scratch in each case, a lot of
> the time I probably wouldn't even bother.

While the bwauth delay is unfortunate (which is why it's being worked
on), the delay in assigning Stable/Guard and HSDir are for user
safety.

I'm somewhat torn on the whole key pinning thing, because I
think an individual operator moving their relay around is sort of ok
(though in an ideal world the consensus weight should get reset and
rapidly re-measured), but giving away the private component of a relay's
identity key is putting users at risk, and is behavior that should be
discouraged if not outright prohibited if possible (and key pinning
would be a heavy handed way to rule out this sort of stupidity).

I personally care less about the absolute size of the Tor network, and
if it's a choice between user's Guards changing ownership, and a
smaller Tor network I will pick the latter every single time.

> Running 20 relays in a declared family at the moment, together
> comprising about 1.8% of aggregate Tor bandwidth, however due to
> financial reasons I will have to shut down most of these over the
> coming weeks and months; so I see little difference if the next
> machine inheriting a particular identity this time will be managed
> and paid for by someone else and not by me. Just throwing these away
> seemed like a waste.

If I have to write a script to figure out the fingerprints of your
relays just to keep users safe I will.  I have 3 million other things I
rather be doing, but keeping the user safe from the bad guys (no matter
how good their intentions) is the most important thing I could be doing.

Regards,

-- 
Yawning Angel

ps: I'm mostly done with this.  If Roger or someone else wants to
comment and overrule what I say that's up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150726/fbbcd004/attachment.sig>