Some Tor Relays, you might want to avoid.

  • A default Tor client enforces distinct subnets. /16 IPv4 network blocks are treated as a “single relay operator”. Alice would not establish a circuit like 1.1.0.1(Guard) → 2.2.0.1(Middle) → 1.1.1.1(Exit), because that would violate the distinct subnets protection (more than one relay in 1.1.0.0/16)
  • In addition to the IP address a Tor client never uses more than one relay from a given “family”. This safeguard depends on the relay operators actually declaring their group of relays in their configuration.
  • A Tor client only uses relays with the guard flag as their first hop — ignoring bridges for now. Guards are static over multiple months before rotating them.
  • A Tor client can only use relays with the exit flag to connect to the actual destination. (The guard and exit flags are not in place to mitigate this risk specifically but in practice they help as well because relay operators tend to run exits or none-exits exclusively, so they can not see both ends).

Finding relay groups in end-to-end correlation position

Relay groups in end to end correlation position run exits and guard-only relays in multiple netblocks.

Am I affected?

If you use one of the relays in the above list as your entry guard relay (static over multiple months) than you might sooner or later also use one of their exit relays (changes frequently) as well.

Mitigation

  • Try to contact relay operators to add proper MyFamily configurations to their relays. I do this occasionally since quite some time (that is also a reason why the list is shorter than it used to be) but some relay operators do not respond, have invalid or no contact info (and to be honest this is a boring task to do and I didn’t want to auto-generate these emails). If you do reach out to them, please be kind and thank them also for running relays (and put tor-relays@lists.torproject.org or me in CC: so we can track who was contacted already). All operators on this list (with usable contactinfo) as of 2017–05–09 have been contacted (at least once).
  • Rise awareness and the importance of proper MyFamily (this blog post)
  • (Update 2017–05–09): Make MyFamily easier for relay operators. The current MyFamily design requires a relay operator to modify all relay configurations if they add a single new relay, that is cumbersome and one of the reasons why MyFamily configurations are often not updated. Proposal 242 could help with that. Other options are automation for relay operators, so they do not have to worry about that setting at all.
  • Technically it is possible to configure a Tor client to not use these relays (ExcludeNodes, StrictNodes), but that does not scale, needs constant updating and if not everyone is excluding them, those that do might become more unique than others. You do not want to become the unique Tor client. In reality it might be hard to single out Tor clients that excluded 0.9% of guard capacity in their Tor configuration. Another problem is that the list is based on unauthenticated contact information, so an attacker could trick you into excluding good relays (since the attacker would have to keep these relays running — an unlikely attack).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
nusenu

nusenu

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io