Design proposals to further improve guard security

I have a couple of proposal sketches that I would like to write for making the prop271 guard algorithm work even better. In particular, I would like to better resist the case where we start up for the first time with a hostile ISP that's determined to control our long-term guard choices.

changed milestone to %Tor: unspecified

added 034-removed-20180328 034-triage-20180328 TorCoreTeam201705 component::core tor/tor milestone::Tor: unspecified parent::20822 points::2 priority::medium resolution::worksforme severity::normal status::closed tor-guard type::enhancement labels

Trac:
Keywords: N/A deleted, tor-guard added

Here are the ideas I have in my notes; they'll need some expansion to become proposals. And possibly to make any sense to anyone.

.....

The main problem this algorithm faces right now is the initial bootstrapping if the ISP is eeeevil. We're not doing worse than previously (I think), but we could do better. Some Ideas to improve this:

• Mark the initial identity guards as "semi-confirmed" somehow so they can retain priority for a while in case the user breaks out.

• Maintain a "suspicion index" for each guard: maybe, the number of guard that were down before it when it was confirmed?

• Maybe, don't confirm guards when the primary guards are down if we're about to retry??? [didn't think about that one so much.]

• Maybe when a circuit launches earlier than another , if both guards become confirmed, the one that was launched first should be confirmed with earlier confirmed_idx?

Trac:
Status: new to assigned
Owner: N/A to nickm

Trac:
Points: N/A to 2

batch modify: I think these are "enhancement", though I could be wrong about some.

Trac:
Type: defect to enhancement

Deferring these to 0.3.1.x as nonbugfixes.

Trac:
Milestone: Tor: 0.3.0.x-final to Tor: 0.3.1.x-final

Trac:
Keywords: N/A deleted, TorCoreTeam201703 added

Trac:
Sponsor: N/A to SponsorZ

These are things I should work on during May, but they're prep work for 0.3.2 and beyond.

Trac:
Keywords: N/A deleted, TorCoreTeam201705 added
Milestone: Tor: 0.3.1.x-final to Tor: 0.3.2.x-final

Trac:
Keywords: TorCoreTeam201703 deleted, N/A added

Trac:
Sponsor: SponsorZ to SponsorV

Trac:
Sponsor: SponsorV to SponsorV-can

Trac:
Milestone: Tor: 0.3.2.x-final to Tor: 0.3.3.x-final

Trac:
Milestone: Tor: 0.3.3.x-final to Tor: 0.3.4.x-final

Trac:
Keywords: N/A deleted, 034-triage-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

Trac:
Keywords: N/A deleted, 034-removed-20180328 added

These tickets, tagged with 034-removed-*, are no longer in-scope for 0.3.4. We can reconsider any of them, if time permits.

Trac:
Milestone: Tor: 0.3.4.x-final to Tor: unspecified

Removing sponsor V as we do not have more time to include this tickets in the sponsor.