Can authorities use multihop circuits rather than direct connections to detect running routers?
So, I had an item on the roadmap to "Ensure dirauths check for incoming authentication when verifying ORPorts, if easy".
Summary: It's not easy, but it's possible given effort.
So, it looks like dirauths don't check for incoming authentication at all when verifying ORPorts. All they do is look at the "last_reachable" or "last_reachable6" fields. Those fields are set from dirserv_orconn_tls_done(), which triggers when we complete an outgoing TLS handshake.
The reachability tests are launched with dirserv_single_reachability_test(), which only opens a channel -- it doesn't try to create a circuit at all.
If we want to do a test for incoming authentication, it's possible, but we'd need to write some more machinery and think of a workaround for an issue (below). We would need to launch testing circuits through the targetted node, and notice whenever somebody authenticates to us using the node's key. If the circuit succeeds but the node has performed no authentication to us, it must be a bridge. Such tests could be launched on a comparatively slow schedule.
There's one other problem with the make-an-incoming-circuit approach: I think that the authority will authenticate to the bridge with its outgoing connection, and so the bridge will already have an authority connection to the authority. I think that the bridge will, when asked to connect to the authority, use that connection instead of creating a new one. Two possible fixes: first, the bridge could stop asking for authentication on incoming connections. Second, the authority could stop providing authentication on outgoing testing connections that it launches for this purpose.