Re: [tor-relays] Why MyFamily?

Am So., 23. Feb. 2020 um 01:55 Uhr schrieb teor <teor@xxxxxxxxxx>:

Hi,

I've gone a few emails back up the thread, because the risk
analysis is missing some really important factors.

And just some reminders:

Some users depend on the tor network for their safety.

Relay operators take some risks, but we do our best to
reduce those risks.

MyFamily is about user and operator safety. We pay more
attention to arguments based on safety.

On 22 Feb 2020, at 23:02, Michael Gerstacker <michael.gerstacker@xxxxxxxxxxxxxx> wrote:

> So for what reason do i set the MyFamily option beside making a Hidden
> Service Guard discovery attack more easy?

- risk reduction for tor users
MyFamily declarations allow the tor client software to automatically detect relay families when creating circuits to
avoid using multiple relays from the same operator in a single circuit.

This should not matter if the operator is not malicious and like i already said an malicious operator will not use the same contact info or relay name.

- reducing the risk for tor users that might become victims if some operator gets compromized (with all its relays)

This is a reason i can understand.
Not sure how much that would really help in practice but i can understand it.

In practice, relay operators become targets for compromise
when they don't set MyFamily. Because those relays can be
used to attack a Tor users.

If relay operators correctly set MyFamily, then an attacker
needs to compromise multiple operators to see a single
user's traffic.

In this case, it doesn't matter if the operator is malicious.

Understood.

So for example if someone compromise multiple of my relays without me noticing it and installs software on them (or the providers network) to do a traffic correlations attack i am a less interesting target when i have set MyFamily.

Another benefit of a proper MyFamily setting in this case would be that he first would need to remove the MyFamily to see any interesting traffic which i would most likely realize faster than without a proper MyFamily setting.

This is indeed something what makes me very uncomfortable because it would be my fault if someones privacy would get affected by this.

- transparency
Every relay operator should declare their relay group to allow everybody to measure their network fraction (Sybil detection).

Should...
But i understand this one too.
But as long as my family is still a small one with only one exit compared to others i am not a Sybil attack risk and even if i would would i get any special treatment then?

It doesn't matter how small your relays are. Some clients
will choose your relays as guards. You're putting those
users in danger.

I understand this one as related to the first one.

- risk reduction for relay operators
MyFamily also provides risk reduction for operators since they are less valuable as an attack target
if they can not technically be used for e2e correlation attacks

I think this is similar to your first point but i think that should be the operators choice if he want to take steps against this case.

There's also a network effect here. If almost all operators
set MyFamily, then the Tor Network becomes a less
valuable target for attacks. So attackers use other
methods, like attacking Tor Browser, or offline attacks.

But if a lot of operators don't set MyFamily, then attackers
develop tools and techniques to attack the network. Then
they can repeat these attacks easily whenever they get a
new target. I guess you could call that a market effect.

Understood.

So if you're not going to set MyFamily for yourself, do it for
Tor users, and do it for Luther relay operators.

Will try to do it tomorrow.

We prioritise the safety of users and relay operators here.

T
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays