On Mon, May 5, 2014 at 12:07 PM, Nick Mathewson nickm@torproject.org wrote:
I noticed that proposal 236 doesn't mention directory guards. (See proposal 207, implemented in Tor 0.2.4.) I think that we should consider retaining multiple directory guards while going to a single guard for multi-hop circuits.
...
I also think that most of the arguments for single-guard apply to circuit guards more than to directory guards. But there could be some left, and we should figure those out.
I think I mostly agree that having multiple directory guards should not be as significant a threat as multiple circuit guards. But: - Having directory guard(s) besides the circuit guard *will* increase vulnerability to guard fingerprinting, as in #10969 and https://lists.torproject.org/pipermail/tor-dev/2013-September/005424.html
- My directory guard knows when I'm using Tor, and so will be in a position to conduct long-term intersection attacks against sites with public logs or timestamps (e.g: IP w.x.y.z is always online when "SecretHandle" tweets). Having more guards increases vulnerability to this kind of attack. Would it make sense to relay directory requests through circuit guards to avoid this?