[tor-relays] How can we trust the guards?

[Mirimir]

On 01/01/2017 03:42 PM, Andreas Krey wrote:
> On Sun, 01 Jan 2017 23:54:03 +0000, Rana wrote:
> ...
>> I do not see how Sybil attacks relate to my question. The adversary will simply set up new nodes, without messing with attacking identities of existing ones.
> 
> It will not go quite unnoticed when the set of major relays changes
> substantially over a few months.

True. But prudent adversaries wouldn't put their trusted relays, with
guard flags, at risk by doing anything unusual with them. They would use
throwaway relays with exit flags to modulate circuit traffic, and then
detect that modulation in their guards. Such malicious exits would be
detected and banned, but the malicious guards would only be at risk when
users became aware of compromise.

That wouldn't work for onion services, however, because there are no
exits involved. Something might be doable using rendezvous relays, or
perhaps onion directories, but I'm guessing that it would be harder and
more obvious. Unfortunately, however, I don't understand the mechanism
well enough to have much of an opinion.

> ...
>> That???s  $1million a year to control most of the Tor nodes., You call this "costly"? This amount is a joke, a trifle, petty cash for any US or Russian government agency. FIFTY times this amount is STILL petty cash, so in case you think $20/month is not enough to run a relay, make it $1000 a month.
> 
> This assumes that there is only one entity wanting to do that.
> When there are multiple the game isn't that easy.

Yes, that is a great Tor feature! Dueling adversaries strengthen Tor
against each other.

> Andreas
>