[tor-relays] Why MyFamily?

teor teor at riseup.net
Sun Feb 23 00:55:23 UTC 2020 

Hi,

I've gone a few emails back up the thread, because the risk
analysis is missing some really important factors.

And just some reminders:

Some users depend on the tor network for their safety.

Relay operators take some risks, but we do our best to
reduce those risks.

MyFamily is about user and operator safety. We pay more
attention to arguments based on safety. 

>> On 22 Feb 2020, at 23:02, Michael Gerstacker <michael.gerstacker at googlemail.com> wrote:
>>> > So for what reason do i set the MyFamily option beside making a Hidden
>>> > Service Guard discovery attack more easy?
>>> 
>>> - risk reduction for tor users
>>> MyFamily declarations allow the tor client software to automatically detect relay families when creating circuits to
>>> avoid using multiple relays from the same operator in a single circuit.
>> 
>> This should not matter if the operator is not malicious and like i already said an malicious operator will not use the same contact info or relay name.
>> 
>> - reducing the risk for tor users that might become victims if some operator gets compromized (with all its relays)
> 
> This is a reason i can understand.
> Not sure how much that would really help in practice but i can understand it.

In practice, relay operators become targets for compromise
when they don't set MyFamily. Because those relays can be
used to attack a Tor users.

If relay operators correctly set MyFamily, then an attacker
needs to compromise multiple operators to see a single
user's traffic.

In this case, it doesn't matter if the operator is malicious.

>> - transparency
>> Every relay operator should declare their relay group to allow everybody to measure their network fraction (Sybil detection).
> 
> Should...
> But i understand this one too.
> But as long as my family is still a small one with only one exit compared to others i am not a Sybil attack risk and even if i would would i get any special treatment then?

It doesn't matter how small your relays are. Some clients
will choose your relays as guards. You're putting those
users in danger.

>> - risk reduction for relay operators
>> MyFamily also provides risk reduction for operators since they are less valuable as an attack target
>> if they can not technically be used for e2e correlation attacks
> 
> I think this is similar to your first point but i think that should be the operators choice if he want to take steps against this case.

There's also a network effect here. If almost all operators
set MyFamily, then the Tor Network becomes a less
valuable target for attacks. So attackers use other
methods, like attacking Tor Browser, or offline attacks.

But if a lot of operators don't set MyFamily, then attackers
develop tools and techniques to attack the network. Then
they can repeat these attacks easily whenever they get a
new target. I guess you could call that a market effect.

So if you're not going to set MyFamily for yourself, do it for
Tor users, and do it for Luther relay operators.

We prioritise the safety of users and relay operators here.

T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200223/74939497/attachment-0001.html>

More information about the tor-relays mailing list