[tor-bugs] #16538 [Tor]: Limit the impact of a malicious HSDir

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#16538: Limit the impact of a malicious HSDir
--------------------------------+------------------------------
 Reporter:  arma                |          Owner:
     Type:  project             |         Status:  new
 Priority:  normal              |      Milestone:  Tor: 0.2.???
Component:  Tor                 |        Version:
 Keywords:  SponsorR, tor-auth  |  Actual Points:
Parent ID:                      |         Points:
--------------------------------+------------------------------
 An adversary who can control all six hsdir points for an onion service can
 censor it. You can observe lookups of it even if you control only some of
 these six.

 So we should raise the bar for getting the HSDir flag, to raise the cost
 to an adversary who tries the Sybil the network in order to control lots
 of HSDir points. We should also make it harder to target which onion
 service your relay becomes the HSDir for.

 There's a contradiction here: the more restrictive we are about who gets
 the HSDir flag, the more valuable it becomes to get it. At the one extreme
 (our current choice), we give it to basically everybody, so you have to
 get a lot of them before your attack matters. At the other extreme, we
 could give it to our favorite 20 relays, and if we choose wisely then
 basically no adversaries will get the HSDir flag. I suspect there are no
 sweet spots in between.

 This ticket is the parent ticket for all the components of making bad
 HSDirs less risky.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16538>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs