[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Please check if your relay has fallen out of the consensus



On Tue, Oct 29, 2024 at 04:35:35AM +0000, pasture_clubbed242--- via tor-relays wrote:
> "Eclipse attacks occur when a node is isolated from all honest peers but remains connected to at least one malicious peer." https://bitcoinops.org/en/topics/eclipse-attacks/
> 
> Could an ASN feasibly deny connections to all official directories besides a malicious one to serve a malicious consensus? Perhaps to be used to then provide malicious controlled circuits or other attacks. 

That style of attack is actually one of the reasons why Tor still has
the directory authority design. Some of the other 'distributed trust'
anonymity designs out there (no need to name names, that's not the point)
have less control over who the relays are, but much more importantly they
have less control over which pieces of the network clients learn about,
which can lead to all sorts of attacks and surprises.

> I understand that there seems to be a signing of the consensus by directory authorities. Can an outdated, yet cryptographically valid, consesus be served by malicous DA's when others are eclipsed? Perhaps this could serve an older or more vulnurable consensus. 

No, those sorts of attacks should not be possible, and if you find some
way to break it, please let us know!

For a distant-past background paper on the topic of learning things
about the user if they only know about a subset of the network, check out
https://www.freehaven.net/anonbib/full/date.html#danezis2006rfa
and then for a slightly more recent analysis showing how hard it is
to protect against these attacks in "structured" scalable peer-to-peer
anonymity networks, see
https://www.freehaven.net/anonbib/#wpes09-dht-attack

All of this said, Tor's directory authority design is not perfect. It
might benefit from using some of the innovations from the consensus /
blockchain worlds over the past decade, in terms of fast robust agreement
among peers about the state of the network. For a concrete edge case where
we could do better, see this paper from this year's Oakland conference:
https://www.freehaven.net/anonbib/#directory-oakland2024

So, for sure the directory design isn't quite as good as we might like
it to be; but one of its big strengths, which has come in handy over
the years, is that it is really simple.

--Roger

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays