Raise our guard rotation period, if appropriate
|Reported by:||arma||Owned by:|
|Component:||Core Tor/Tor||Version:||Tor: 0.2.7|
|Severity:||Normal||Keywords:||tor-client, needs-proposal, 023-backport, unfrozen, 027-triaged-1-in, SponsorU-deferred, tor-03-unspecified-201612|
|Cc:||mikeperry, iang, tariq.ee, rpw, amj703||Actual Points:|
Tariq's COGS paper from WPES 2012 shows that a significant component of guard churn is due to voluntary rotation, rather than actual network changes:
In short, if the target client makes sensitive connections continuously every day for months, and you (the attacker) run some fast guards, the odds get pretty good that you'll become the client's guard at some point and get to do a correlation attack.
We could argue that the "continuously every day for months" assumption is unrealistic, so in practice we don't know how bad this issue really is. But for hidden services, it could well be a realistic assumption.
There are going to be (at least) two problems with raising the guard rotation period. The first is that we unbalance the network further wrt old guards vs new guards, and I'm not sure by how much, so I'm not sure how much our bwauth measurers will have to compensate. The second (related) problem is that we'll expand the period during which new guards don't get as much load as they will eventually get. This issue already results in confused relay operators trying to shed their Guard flag so they can resume having load.
In sum, if we raise the rotation period enough that it really results in load changes, then we could have unexpected side effects like having the bwauths raise the weights of new (and thus totally unloaded) guards to huge numbers, thus ensuring that anybody who rotates a guard will basically for sure get one of these new ones.
The real plan here needs a proposal, and should be for 0.2.5 or later. I wonder if we can raise it 'some but not too much' in the 0.2.4 timeframe though?
|#9733||Generate statistics about compromise due to traffic correlation with different guard selection and rotation parameters|
Change History (61)
comment:1 follow-up: ↓ 14 Changed 4 years ago by nickm
- Keywords 023-backpor added
- Status changed from new to needs_review
comment:14 in reply to: ↑ 1 Changed 4 years ago by arma
- Status changed from needs_review to needs_revision
comment:24 Changed 4 years ago by nickm
- Milestone changed from Tor: 0.2.4.x-final to Tor: 0.2.3.x-final
comment:45 Changed 2 years ago by nickm
- Milestone changed from Tor: 0.2.??? to Tor: 0.2.7.x-final
- Summary changed from Raise our guard rotation period to Raise our guard rotation period, if appropriate
comment:49 Changed 2 years ago by isabela
- Keywords SponsorU added
- Points set to medium
- Version set to Tor: 0.2.7
comment:52 Changed 20 months ago by nickm
- Milestone changed from Tor: 0.2.7.x-final to Tor: 0.2.8.x-final
comment:55 Changed 15 months ago by nickm
- Milestone changed from Tor: 0.2.8.x-final to Tor: 0.2.9.x-final
- Status changed from assigned to new
comment:57 Changed 13 months ago by isabela
- Milestone changed from Tor: 0.2.9.x-final to Tor: 0.2.???
comment:58 Changed 11 months ago by nickm
- Keywords SponsorU-deferred added
- Sponsor SponsorU-can deleted
comment:60 Changed 4 months ago by nickm
- Keywords tor-03-unspecified-201612 added
- Milestone changed from Tor: 0.3.??? to Tor: unspecified