[tor-relays] How can we trust the guards?

Aeris aeris+tor at imirhil.fr
Mon Jan 2 00:03:13 UTC 2017


> @Aeris
> 
> I do not see how Sybil attacks relate to my question. The adversary will
> simply set up new nodes, without messing with attacking identities of
> existing ones.

Sybil attack is not attacking identity, but just running bunch of relays.

> As to the rest of it, let us calculate. Assuming that the adversary wants to
> control 4000 nodes for 3 years, the 70d startup period is irrelevant and
> negligible.

But because they have guard flags, those 4000 nodes must be on the top 25% 
bandwidth nodes. So this assume we have around 16k nodes currently. Which is 
false.
And current average guard bandwidth is around 40Mbps, so your attacker have 
156Gbps capacity…
And because of Tor nodes selection, those 4000 nodes must be on the more /16 
network as possible.

> Assuming further that operating the relays will cost the
> adversary $20/month each, the total "investment" required would be
> 20x12x3x4000=less than $3million
> 
> That’s  $1million a year to control most of the Tor nodes., You call this
> "costly"? This amount is a joke, a trifle, petty cash for any US or Russian
> government agency. FIFTY times this amount is STILL petty cash, so in case
> you think $20/month is not enough to run a relay, make it $1000 a month.

Having $$$$ is not enough. You can’t just send $$$$ in hardware and expect to 
be guard. You need to prove your worth to the network to have guard flag.
And you also need intelligence, because your node must be VERY differents each 
others or only few of your guard will be used (same /16 network, same country, 
same operator => never 2 nodes on a circuit or guard set).

> So I repeat - how is this prevented?

Re-read my first post. Tor node selection for circuit, Tor node guard flag 
assignment.
And because currently most of guards are controlled by well known or smart 
enough people, we don’t have such attacker.

Controlling all guards is NOT a serious problem ’til you also 
control other nodes (middle or exit).
If you think such attacker exists, just don’t use Tor, this is EXACTLY the 
threat model Tor can’t avoid and expressed on the paper.

Regards,
-- 
Aeris
Individual crypto-terrorist group self-radicalized on the digital Internet
https://imirhil.fr/

Protect your privacy, encrypt your communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://café-vie-privée.fr/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170102/8faf9eac/attachment-0001.sig>


More information about the tor-relays mailing list