[tor-relays] MyFamily
Nick Mathewson
nickm at torproject.org
Mon May 15 12:31:33 UTC 2023
On Mon, May 15, 2023 at 5:21 AM Matt Palmer <mpalmer at hezmatt.org> wrote:
>
> On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obreham at a-n-o-n-y-m-e.net wrote:
> > This has probably been addressed before but why isn't the MyFamily value
> > just a single, unique ID?
> >
> > If I have the relays with the fingerprints "John", "Jane", and "Alice" and
> > I want to add "Bob", wouldn't it be simpler (and more logical) to add the
> > unique MyFamily "Smith" to each torrc file than listing all fingerprints?
>
> I believe the reason for the current setup is to prevent randos from adding
> themselves to your family of relays, and then causing problems.
That's correct: if an attacker can add their relay to a family without
the rest of the family's consent, they can use that to influence
routing and do some kinds of path-selection attacks.
For an easy example, let's imagine that we let any relay put itself
into any family. Now suppose the attacker starts three relays A1, A2,
and A3. Then, since nothing stops them, they put A1 into a family
with every relay on the network, except for A2 and A3. Now, any time
a user (randomly) selects A1, they will find that the only other
relays they can use on that circuit are A2 and A3; this will build a
completely attacker-controlled path, they will get no privacy.
That said, there's an open proposal to try to make it so relays can
use a cryptographic identifier instead of a unique ID or a list:
https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/321-happy-families.md
I'd be curious to know whether relay operators think this proposal
would be usable for them; when I first circulated it, I didn't get a
lot of feedback.
(Oh, I see that Trinity has mentioned this too. Hi, Trinity!)
cheers,
--
Nick
More information about the tor-relays
mailing list