Opened 5 years ago

Last modified 3 years ago

#16538 new project

Limit the impact of a malicious HSDir

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-dirauth, tor-hs prop224
Cc: teor Actual Points:
Parent ID: Points:
Reviewer: Sponsor: SponsorR-can


An adversary who can control all six hsdir points for an onion service can censor it. You can observe lookups of it even if you control only some of these six.

So we should raise the bar for getting the HSDir flag, to raise the cost to an adversary who tries the Sybil the network in order to control lots of HSDir points. We should also make it harder to target which onion service your relay becomes the HSDir for.

There's a contradiction here: the more restrictive we are about who gets the HSDir flag, the more valuable it becomes to get it. At the one extreme (our current choice), we give it to basically everybody, so you have to get a lot of them before your attack matters. At the other extreme, we could give it to our favorite 20 relays, and if we choose wisely then basically no adversaries will get the HSDir flag. I suspect there are no sweet spots in between.

This ticket is the parent ticket for all the components of making bad HSDirs less risky.

Child Tickets

#2715newIs rephist-calculated uptime the right metric for HSDir assignment?Core Tor/Tor
#8243closedGetting the HSDir flag should require the Stable flagCore Tor/Tor
#15963closeddgouletDon't vote HSDir if we aren't voting FastCore Tor/Tor
#16524closedDon't vote HSDir if we aren't voting ValidCore Tor/Tor
#16558newDir auths should vote about Invalid like they do about BadExitCore Tor/Tor

Change History (9)

comment:1 Changed 5 years ago by teor

Cc: teor added

comment:2 Changed 4 years ago by nickm

Keywords: SponsorR removed
Sponsor: SponsorR

Bulk-replace SponsorR keyword with SponsorR sponsor field in Tor component.

comment:3 Changed 4 years ago by dgoulet

Sponsor: SponsorRSponsorR-must

comment:4 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:5 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:6 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:7 Changed 3 years ago by dgoulet

Keywords: tor-dirauth added; tor-auth removed

Turns out that tor-auth is for directory authority so make it clearer with tor-dirauth

comment:8 Changed 3 years ago by dgoulet

Keywords: tor-hs added
Severity: Normal
Sponsor: SponsorR-mustSponsorR-can

comment:9 Changed 3 years ago by nickm

Keywords: prop224 added

Prop224 will resolve a lot of the issues here.

Note: See TracTickets for help on using tickets.