On 09/05/14 10:14, Michael Rogers wrote: > On 08/05/14 14:40, Christopher Baines wrote: >>> Perhaps it would make sense to pick one or more IPs per guard, >>> and change those IPs when the guard is changed? Then waldo's >>> attack by a malicious IP would only ever discover one guard. > >> If you change the IP's when the guard is changed, this could break >> the consistency between different instances of the same service >> (assuming that the different instances are using different >> guards). > > It should be possible to avoid breaking consistency by having an > overlap period: when a guard is scheduled to be replaced, each > instance connects to a new guard and IPs, the new descriptor is > published, then each instance disconnects from the old guard and IPs. > > This should work whether or not the instances use the same guards. If > the instances use the same guards, waldo's attack can discover one > guard shared by all instances; otherwise it can discover one guard per > instance. I'm not sure which is worse for anonymity - any thoughts? How do you see the guards being "scheduled" for replacement? Another issue is how do you get each instance to connect through the same guard node? I think that it would be fine having per instance guard nodes (1 or more). I don't see much significance in it being shared, it also seems quite problematic to accomplish.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev