On 2011-10-20, Nick Mathewson <ni...@torproject.org> wrote: > 4.3. Separate bridge-guards and client-guards > > In the design above, I specify that bridges should use the same > guard nodes for extending client circuits as they use for their own > circuits. It's not immediately clear whether this is a good idea > or not. Having separate sets would seem to make the two kinds of > circuits more easily distinguishable (even though we already assume > they are distinguishable). Having different sets of guards would > also seem like a way to keep the nodes who guard our own traffic > from learning that we're a bridge... but another set of nodes will > learn that anyway, so it's not clear what we'd gain.
Any attacker who can extend circuits through a bridge can enumerate the set of guard nodes which it routes its clients' circuits through. A malicious middle relay can easily determine the set of entry guards used by a hidden service, and over time, can determine the set of entry guards used by a user with a long-term pseudonym. If a bridge uses the same set of entry guards for its clients' circuits as it does for its own, users who operate bridges can be deanonymized quite trivially. Robert Ransom _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
