[tor-relays] How can we trust the guards?

[Matt Traudt]

On 01/01/2017 04:54 PM, Rana wrote:
> The adversary will simply set up new nodes

Which can be called a Sybil attack.

> That’s  $1million a year to control most of the Tor nodes., You call this "costly"? This amount is a joke, a trifle, petty cash for any US or Russian government agency. FIFTY times this amount is STILL petty cash, so in case you think $20/month is not enough to run a relay, make it $1000 a month.
> 
> So I repeat - how is this prevented?

I started out writing a really long reply to your initial email, but I
don't think it would have been worth hitting send.

The very short answer: it isn't prevented. My other reply went on and on
about how node selections are weighted and reminded you how nodes get
the Guard flag and how nodes must be stable, familiar, and speedy for a
significant amount of time. All to try to convince you that Tor does a
good enough job.

But none of that matters because the adversary you talk about has big $$$.

So I invite you to read section 3 of the original Tor paper[0] to see
what the goals, non-goals, and threat model originally were.

No low-latency anonymity network that I'm aware of can protect its users
from such a powerful adversary as the one you speak of. It's an open
problem. Some good papers have been coming out recently, and some hold
promise. But none of them have made it out of the paper/prototype stage
that I'm aware.

Matt

[0]: https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf