[tor-relays] Why MyFamily?

Michael Gerstacker michael.gerstacker at googlemail.com
Sun Feb 23 01:34:15 UTC 2020 

Am So., 23. Feb. 2020 um 01:55 Uhr schrieb teor <teor at riseup.net>:

> Hi,
>
> I've gone a few emails back up the thread, because the risk
> analysis is missing some really important factors.
>
> And just some reminders:
>
> Some users depend on the tor network for their safety.
>
> Relay operators take some risks, but we do our best to
> reduce those risks.
>
> MyFamily is about user and operator safety. We pay more
> attention to arguments based on safety.
>
> On 22 Feb 2020, at 23:02, Michael Gerstacker <
> michael.gerstacker at googlemail.com> wrote:
>
> > So for what reason do i set the MyFamily option beside making a Hidden
>> > Service Guard discovery attack more easy?
>>
>> - risk reduction for tor users
>> MyFamily declarations allow the tor client software to automatically
>> detect relay families when creating circuits to
>> avoid using multiple relays from the same operator in a single circuit.
>>
>
> This should not matter if the operator is not malicious and like i already
> said an malicious operator will not use the same contact info or relay name.
>
> - reducing the risk for tor users that might become victims if some
>> operator gets compromized (with all its relays)
>>
>
> This is a reason i can understand.
> Not sure how much that would really help in practice but i can understand
> it.
>
>
> In practice, relay operators become targets for compromise
> when they don't set MyFamily. Because those relays can be
> used to attack a Tor users.
>
> If relay operators correctly set MyFamily, then an attacker
> needs to compromise multiple operators to see a single
> user's traffic.
>
> In this case, it doesn't matter if the operator is malicious.
>

Understood.
So for example if someone compromise multiple of my relays without me
noticing it and installs software on them (or the providers network) to do
a traffic correlations attack i am a less interesting target when i have
set MyFamily.
Another benefit of a proper MyFamily setting in this case would be that he
first would need to remove the MyFamily to see any interesting traffic
which i would most likely realize faster than without a proper MyFamily
setting.

This is indeed something what makes me very uncomfortable because it would
be my fault if someones privacy would get affected by this.


> - transparency
>> Every relay operator should declare their relay group to allow everybody
>> to measure their network fraction (Sybil detection).
>>
>
> Should...
> But i understand this one too.
> But as long as my family is still a small one with only one exit compared
> to others i am not a Sybil attack risk and even if i would would i get any
> special treatment then?
>
>
> It doesn't matter how small your relays are. Some clients
> will choose your relays as guards. You're putting those
> users in danger.
>

I understand this one as related to the first one.


> - risk reduction for relay operators
>> MyFamily also provides risk reduction for operators since they are less
>> valuable as an attack target
>> if they can not technically be used for e2e correlation attacks
>>
>
> I think this is similar to your first point but i think that should be the
> operators choice if he want to take steps against this case.
>
>
> There's also a network effect here. If almost all operators
> set MyFamily, then the Tor Network becomes a less
> valuable target for attacks. So attackers use other
> methods, like attacking Tor Browser, or offline attacks.
>
> But if a lot of operators don't set MyFamily, then attackers
> develop tools and techniques to attack the network. Then
> they can repeat these attacks easily whenever they get a
> new target. I guess you could call that a market effect.
>

Understood.


> So if you're not going to set MyFamily for yourself, do it for
> Tor users, and do it for Luther relay operators.
>

Will try to do it tomorrow.


> We prioritise the safety of users and relay operators here.
>
> T
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200223/eb0f9bd3/attachment.html>

More information about the tor-relays mailing list