On Tue, Oct 29, 2024 at 04:35:35AM +0000, pasture_clubbed242--- via tor-relays wrote:
"Eclipse attacks occur when a node is isolated from all honest peers but remains connected to at least one malicious peer." https://bitcoinops.org/en/topics/eclipse-attacks/
Could an ASN feasibly deny connections to all official directories besides a malicious one to serve a malicious consensus? Perhaps to be used to then provide malicious controlled circuits or other attacks.
That style of attack is actually one of the reasons why Tor still has the directory authority design. Some of the other 'distributed trust' anonymity designs out there (no need to name names, that's not the point) have less control over who the relays are, but much more importantly they have less control over which pieces of the network clients learn about, which can lead to all sorts of attacks and surprises.
I understand that there seems to be a signing of the consensus by directory authorities. Can an outdated, yet cryptographically valid, consesus be served by malicous DA's when others are eclipsed? Perhaps this could serve an older or more vulnurable consensus.
No, those sorts of attacks should not be possible, and if you find some way to break it, please let us know!
For a distant-past background paper on the topic of learning things about the user if they only know about a subset of the network, check out https://www.freehaven.net/anonbib/full/date.html#danezis2006rfa and then for a slightly more recent analysis showing how hard it is to protect against these attacks in "structured" scalable peer-to-peer anonymity networks, see https://www.freehaven.net/anonbib/#wpes09-dht-attack
All of this said, Tor's directory authority design is not perfect. It might benefit from using some of the innovations from the consensus / blockchain worlds over the past decade, in terms of fast robust agreement among peers about the state of the network. For a concrete edge case where we could do better, see this paper from this year's Oakland conference: https://www.freehaven.net/anonbib/#directory-oakland2024
So, for sure the directory design isn't quite as good as we might like it to be; but one of its big strengths, which has come in handy over the years, is that it is really simple.
--Roger