Opened 4 years ago

Last modified 2 years ago

#16978 new defect

Minority of hostile dirauths can influence consensus in dangerous ways

Reported by: Sebastian Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Major Keywords: tor-dirauth needs-proposal voting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We like to claim that if a minority of dirauths is not honest, the worst they can do is manipulate the voting process in such a way that no consensus emerges but not that a consensus emerges that is (at least partially) dictated by the bad actors. Unfortunately, this isn't the case for the opt-in features. If a majority of the dirauths opting in to features such as bad exit voting, bandwidth measurements, or voting for a specific parameter want to influence these values in the consensus, they don't require a majority of total dirauths to do that. This might not be so much of an issue with less important features like Naming, but since badexit and bandwidth weight directly influences path selection on the client, these authorities that opt in to those features have considerably more power over the consensus than those that do not.

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:2 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:3 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:4 Changed 2 years ago by nickm

Keywords: tor-dirauth needs-proposal voting added
Severity: Major
Note: See TracTickets for help on using tickets.