On Thursday May 20 2010 09:39:00 Flamsmark wrote: > On 20 May 2010 07:44, <and...@torproject.org> wrote: > > If Mallory lists Alice > > and Bob, but neither Alice nor Bob list Mallory, it's not a valid > > Family. Otherwise, Mallory could list every node in the network and > > screw everyone. > > Why would this screw everyone?
If only one side could declare a valid family that clients honored, you can control the paths clients choose. Eventually, some large percent of the network will find your declaration and be unable to build paths because they are all in the one-sided MyFamily declaration. Or, worse off, you run three nodes, let's call them TheMan0, TheMan1, and TheMan2. All three nodes list every other node in the network, except your three TheMan# nodes. Now as clients find your MyFamily declaration, they can only build paths through TheMan0, TheMan1, and TheMan2. Now you've won. This is one reason why the MyFamily declaration has to be the same on both sides in order for clients to honor it. Tor clients do not trust the Tor network by design. There are flaws in the MyFamily scheme, as we're seeing with perfect-privacy. It's a pain in the ass if you run a lot of nodes, so you just don't bother. It also assumes an honest relay operator will list all of all the nodes that should be in a MyFamily declaration. Right now, Tor won't use any relays in a circuit in the same /16 network to try to address "network closeness" of relays. We saw it was plausible that someone can start up a bunch of relays in the same datacenter in the same netblock and start to see a lot of circuits within that netblock. You can disable this behavior by setting EnforceDistinctSubnets to 0. It is an open and active area of research as to the degree of anonymity (increase or decrease) one receives as you develop trusted paths through the network (pick your own path), or Autonomous System aware paths, or country level aware paths, etc. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/