On 10/15/18, panoramix.druida <panoramix.druida@protonmail.com> wrote:
Hi, From my understanding when a Tor proxy is started it downloads a list of relays from one of the ten Directory Authority Servers listed here: https://metrics.torproject.org/rs.html#search/flag:authority
Am I right?
There's a second helper layer to the DA's known as fallback servers. However the DA's are still the root gatekeepers of the live network. And the DA's are also subject to higher layers that reside outside the live network...
If so who run these servers and how the people running them are chosen? I would like to know a bit on the governance on how this authority servers are chosen.
Assuming more of analysis than operation question... Observatories appear to show the servers as being distributed around the world in various jurisdictions. They're run by whoever they appear to be run by. Both have a variety of potential attacks. The "how chosen / removed" part is informal but does have some written guidlines in torspec repo. The existance of DA design function under humans vs say distributed DHT, blockchain, AI, users clients, whatever... is thought to have certan strengths. Ultimately the fingerprints and IP's of the DA's are hardcoded and commited into the source code, which exists in repositories controlled by The Tor Project Inc, a corporation headquartered in, and on the books of, the United States of America, ran on continuum from open to closed fashion in various areas of governance, participation, etc. There's a lot more that goes into that. All of which various parts of the overall community (corp, dev, users, operators, funders, etc) also hold various opinions on (re DA's), no different than any other project. In overall re: design / subject of DA's... it's thought by most around Tor, a reasonably sound and working model, resistant to at least casual attack en masse, at least so far as any attack is publicly known to have occurred. Also keep in mind that design of Tor / DA is roughly 20 years old, thus having elements of both wisdom and legacy.
What could go wrong if one or more of these servers are compromise?
Worst case? Full discovery of end to end physical locations, with concurrent compromise of traffic content. General network disruption including complete shutdown. Technical talk has been made over the years on if / should, and how, the DA's might be eliminated from the design. If the DA system is thought to be weak to various threats and attack models, or there's preference for a fully independant, distributed, and autonomous live network... people might want to review some of those talks, or draft design changes, or new overlay networks, or implement ones that are still in whitepaper form [waiting for a dev team]. The Anonbib is one good source for research reading, as are the materials and communities of other overlay networks. Note also that most things "who, where, threat models" regarding the DA's also apply to all the relays. And there is not necessarily any PKI WoT, comms, or in person relations between any given whole or subset[s] of them. Perhaps there should be, or not, or in part, and why / how... And that such subject questions, and their many fine and possible answers surely both here and before from many folks, are not unique to Tor... all the open overlay networks exhibit at least some similar elements. The code and networks are still active so... ignoring unknown conspirators, malactors, Sybils, GPA / GAA, [quantum] cryptanalysis, parallel constructions, etc... perhaps things in the space are thought good enough. Or not. One should never rest, because your adversaries will not. It's a big space, there's always room for new ideas, [better] solutions to old, hard, and new threats, incorporating new tools and strategies that didn't exist before, etc. Have fun :)