Opened 5 months ago

Closed 4 months ago

#25668 closed defect (fixed)

Write a proposal for using two guards, not one

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 034-roadmap-master, 034-triage-20180328, 034-included-20180328
Cc: mikeperry, asn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

See tor-dev discussion. This is a roadmapped item.

Child Tickets

Change History (8)

comment:1 Changed 5 months ago by nickm

Keywords: 034-triage-20180328 added

comment:2 Changed 5 months ago by nickm

Keywords: 034-included-20180328 added

comment:3 Changed 5 months ago by cypherpunks

Things I'd like to see covered but haven't been in the tor-dev discussion: For bridges, would going for 2 guards be risky since it increases the chance that censor already knows one of the two bridges and thus can easily learn more bridges and censor them? What if the censor is unsophisticated and only blocks some bridges, if BridgeDB gives me 3 bridge addresses, two of which have been already blocked by the censor, what will Tor then do with only one working bridge? Aren't people who hit such cases of only one working bridge going to be easily fingerprintable? How would this work with meek-amazon, would there be a need for two bridges there as well?

It's clear that the argument for using 2 guards is straightforward, but designing it for bridges will require a nontrivial amount of thought.

comment:4 Changed 5 months ago by mikeperry

cypherpunks -- I am going to leave bridges out of scope for the reasons you say. We are planning on iterating on a system that automatically obtains bridges from bridgedb via meek depending on how many are currently working, etc. I think the discussion about how many bridges to use and when to stop using them and when to refresh them will occur during that iteration.

comment:5 Changed 5 months ago by mikeperry

Draft proposal is hanging out here: https://gitweb.torproject.org/user/mikeperry/torspec.git/tree/proposals/xxx-two-guard-nodes.txt?h=twoguards

I hit a wall when considering exactly how prop271 will/should interact with two guards, and what that means with respect to alternative options. I am going to task switch and let this simmer in the back of my mind for a while. Any comments are welcome in the meantime. (The specific points where prop271 comes into play are marked with XXX).

Last edited 5 months ago by mikeperry (previous) (diff)

comment:6 Changed 5 months ago by asn

FWIW, I started running my tor browser with NumEntryGuards=2 + some extra logs (guard_monitor branch in my ghub) to see what's gonna happen over the next few days. Will be monitoring it.

comment:7 Changed 4 months ago by nickm

Can we close this ticket? I think the proposal is written, and people are discussing it. :)

comment:8 in reply to:  7 Changed 4 months ago by asn

Resolution: fixed
Status: newclosed

Replying to nickm:

Can we close this ticket? I think the proposal is written, and people are discussing it. :)

Yes, let's close this one and let's move to #25754 for subsequent discussion.

Note: See TracTickets for help on using tickets.