[tor-relays] pinning relay keys to IPs (or not)
Roger Dingledine
arma at mit.edu
Mon Jul 27 08:15:57 UTC 2015
On Sun, Jul 26, 2015 at 04:48:37PM +0000, Yawning Angel wrote:
> If the relay's IP is constantly changing significantly faster than the
> Guard rotation interval (needs more numbers here), I'm not sure if they
> make great Guards, but this is an arma/asn type question since they
> think more about Guards than I do.
I've been thinking about this one since the thread started. Changing IP
addresses "a little bit" isn't so bad. But if a Guard shifts to another
place on the Internet, often, this would actually be quite bad. The reason
is that clients who use that relay as their guard will effectively shift
their paths with it, giving network-level adversaries (as compared to
relay-level adversaries) more chances over time to see their traffic. From
the perspective of the network-level adversary, it's as though the users
are choosing a new guard each time their guard shifts location.
For much more discussion of this point, see
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
including the paragraph
"Rather than running a guard relay and waiting for the user to switch to
it, the attacker should instead monitor as many Internet links as he can,
and wait for the user to use a guard such that traffic between the user
and the guard passes over one of the links the adversary is watching."
I wonder how many guards shift location significantly across the Internet,
and how often?
--Roger
More information about the tor-relays
mailing list