[tor-relays] Why MyFamily?

Michael Gerstacker michael.gerstacker at googlemail.com
Sat Feb 22 14:51:06 UTC 2020 

Am Sa., 22. Feb. 2020 um 15:17 Uhr schrieb nusenu <nusenu-lists at riseup.net>:

> >> - risk reduction for tor users
> >> MyFamily declarations allow the tor client software to automatically
> >> detect relay families when creating circuits to
> >> avoid using multiple relays from the same operator in a single circuit.
> >>
> >
> > This should not matter if the operator is not malicious
>
> That is a big if and impossible to detect automatically.
> If we accept operators to run end-to-end correlation relay groups by
> receiving "you can trust me" emails
> you can guess what malicious actors will do next.
>

Of course would they do.


> The only way the tor client software can detect relay groups across
> multiple /16 blocks automatically and at scale
> is currently by MyFamily declaration.
> There is no "dude don't worry, you can trust me" flag.
>

And if there would be then this would be the worst possible solution.


> > and like i already
> > said an malicious operator will not use the same contact info or relay
> name.
>
> We've had that already.
>

I know. Thats why i point that out again because now i am somehow affected
too and can better understand what they mean with that sentence.


> > But as long as my family is still a small
>
> It is rather hard, time consuming and error prone
> to asses group sizes without proper MyFamily declarations.
>

I am the operator of my relays so if i for whatever reason decide to not
publish that i run a bigger family then this should be my own decision.

If the torproject needs these information urgently they need to force it
for example with a relay registration or should find a better soultion
which is not depending on a trust level.


>
> > I think MyFamily greatly fails in trying to solve a problem
>
> I agree, but it is currently the only option how operators can tell tor
> clients
> about their relay group in an automated way.
>
> To summarize:
>
> Multiple recommendations (with and without configuration management)
> have been pointed out to practically solve the hassle of MyFamily across
> multiple relays with a growing group of relays
> without requiring to mess with all torrc files manually whenever a new
> relay gets added to a group.
>

Understood.


> Using one of them should be in the interest of relay operators to help
> protect tor users
> (and indirectly help with malicious relay detection).
>

Not proposing relays of honest operators for removal should be in the
interest of all to help protect tor users but an opt-in solution for
MyFamily which gets forced by random people on a public tor-bad-relays
mailinglist is not the right way in my opinion because obviously at least
in my case these people might lack information.
I understand that this is only obvious for me but then these people should
think twice before they propose relays for removal.


> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200222/e668575c/attachment.html>

More information about the tor-relays mailing list