[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 242: Better performance and usability for the MyFamily option

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal 242: Better performance and usability for the MyFamily option
From: "l.m" <ter.one.leeboi@xxxxxxxx>
Date: Mon, 02 Mar 2015 16:51:48 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 02 Mar 2015 16:52:01 -0500
In-reply-to: <CAKDKvuyTEiGAL_wBmZquZqajxc_mv28psqCvS=q=gxOEKpaWeg@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi,

If I understand the factors, as things stand currently, regarding family use with respect to the *security* of Tor.

Pros
1 - Prevents information disclosure in case of using related relay too much (relay configuration or seizure of hardware).

Cons
2 - It's not used by operators with malicious intent.
3 - Reduces diversity in choosing non-malicious relay assuming all relay in a family have similar performance/bandwidth. If the metrics vary widely in the first place there's the chance it won't matter.
4 - Allows use of nickname and fingerprint.
5 - Can be used arbitrarily by unrelated nodes to influence path selection.
6 - Clients already disobey family under non-deterministic circumstance (not reliably reproduced but have measured)

The proposed changes, in absence of any errata, are an improvement for enforcing a bidirectional relationship. For this reason it mitigates (4), and (5). If arbitrary nodes cannot simply join a family it also has less of an impact on (3) than when the tickets were originally filed.

Towards mitigating (3) it might be worth considering the AS of the related relays. I know this increases computation cost so it's more of a thought than even a suggestion. If the AS differs across related relay you might consider this (honest?) operator a safe choice for not setting the family. That is that the family might be better based on similarity of AS, supposing that this would make it easier to compromise usage data. Another thought is to consider families as a single node for the purpose of computing network diversity. If a situation occurs where diversity is low it would be useful to not consider families or to reconsider the so-called safe-families. You might call this a discussion towards relaxing family definition (slightly) in favor of increasing diversity, but staying within the changes of Proposal 242.

--leeroy

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] Tor Project proposal for GSoC 2015
Next by Author: Re: [tor-dev] bittorrent based pluggable transport
Previous by thread: Re: [tor-dev] Porting Tor Browser to the BSDs
Next by thread: Re: [tor-dev] bittorrent based pluggable transport
Index(es):
- Author
- Thread