[tor-relays] Why MyFamily?

Michael Gerstacker michael.gerstacker at googlemail.com
Fri Feb 21 12:43:28 UTC 2020


Last week i got an email with a warning that some of my relays are
missing the correct MyFamily setup and that i am a risk to do
end-to-end correlation attacks together with a list of all relays i
operate plus one relay which uses the same name than i use but is not
operated by me.

I already knew that not all of my relays have a correct MyFamily setup
because as long as i am not sure if they will stay i usually dont
include them in MyFamily because it is a pain to edit every torrc if
they anyway will disappear again soon.
I did it that way with all relays before and when i am sure that the
hoster is okay with me and that i am okay with the hoster i always
included them in MyFamily.

In the received email nothing was written that someone might expect an
answer from me so i deleted that email and to not trigger that warning
again i deleted the contact info from these specific relays for now.

A few days later i got a message that some of my relays will soon get
rejected because i did not responded to the previous email.

I explained why i do not have a correct MyFamily setup and i explained
that one of these relays is not operated by me even if it has the same
name than one of my relays.

The answer of the bad-relays mailing list was that its important for
them to know that one of the relays tried to look like me and that i
can use a third-party tool for setting up the MyFamily and that
further discussion about the MyFamily is more suitable for the relays
mailinglist.


What i learned from that:

- The bad-relays team expect an answer to their emails even if they do
not tell you that in the first email and rather send you a second
email that they will soon reject your relays if you dont answer them.

- I could do an end-to-end correlation attack
(I knew that already and would not use the same name and contact info
on my relays if i would like to do that)

- It is possible for them to pin relays to specific operators without
relying on the contact info or MyFamily entrys
(I assume they guess that by looking at the relays names because
otherwise they hadn't put a relay which is not operated by me into my
warning message)

- If setting up the MyFamily option is too painful for you then you
can use a third party tool which is not part of the torproject

- Relays names are free to choose and double entrys are okay but if
someone operates an relay with a name you choosed before then you can
report that operator to the bad-relays list because that operator
might be malicious
(Thankfully my relays are not called "Unnamed")


So for what reason do i set the MyFamily option beside making a Hidden
Service Guard discovery attack more easy?


More information about the tor-relays mailing list