If many directory authorities are compromised or offline, is it still safe to use Tor? What are security and anonymity consequences for Tor users of such an attack on directory authorities?
2 Answers
I would like to clear the air.
Many Directory authorities are compromised and gone offline.
How, and where did you get this idea from? You might be mistaking a separate incident for what you think is a compromise of the directory authorities. The incident to which I refer is an individual (T@riseup) who hosts mirrors of some Tor services and exit-nodes. There was (and still is as of this posting) some questions about the integrity of his services after an unexpected loss of control and downtime.
On the subject of compromised directory authorities -- there isn't anything to report. This may change. I suspect it won't. Even if the possibility was overheard by someone who may have gotten the impression of seizure -- it's still unlikely. Why?
- Because only the stupidest of law enforcement would try it and expect that doing so would take down the network.
- Only the stupidest of law enforcement would think they could do it and not be noticed.
- Only the stupidest of law enforcement would do it and think they'll gain anything useful to any investigation from the compromised servers. That is, there are vastly better ways of pursuing an investigation.
- Only the stupidest of law enforcement would let their plans be so easily overheard. Unless, of course, the point was to cause chaos and confusion. Perhaps even to create fear, as is so often the tactic of such adversaries. Their goal, after all, is control over those who refuse to be controlled.
Under these circumstances is it safe to use Tor?
You can expect TorProject to be in ongoing communication with current authorities. If any directory authorities are compromised (or suspected) you'll know in three ways.
- If you use Tor-Browser you'll get the update-available indicator. The update will have blacklisted the suspected-to-be-compromised directory authority. You'll be able to read the change-log for more details. Given the circumstances I wouldn't be surprised if the updates could include replacement (and previously unknown) authorities. It's really that easy to replace a compromised authority.
- You'll see an update at this blog entry. It contains the most useful of information on this subject (minus the trolling).
- You'll see an update on the tor-talk mailing list (mostly trolling).
What are security and anonymity consequences of this current attack on directory authorities for Tor users?
Well -- to be blunt, if enough authorities are compromised it would allow the evil twins to create their own Tor relay network. Which would, of course, be horrible. The good news is that's not as easy as just taking over a server. It's much harder than that in practice. On top of this, even if some authorities were to be compromised, it would create a noticeable disruption. Which means unless all authorities are compromised it would be very hard to pull off an "attack" from this vector and not be noticed. I recommend reading the blog entry mentioned above to gain further insight. Conversely if all authorities are offline then no new Tor installations can bootstrap. However, existing clients, who have already bootstrapped will, for a time, continue to use their cached consensus (measured in days -- more than enough time to address the problem).
If you're concerned about the status of the directory authorities you can do the following.
- Check here. You'll note the last time/date a consensus was published. You can also peruse the data for anomalies.
- Check here. You can reproduce that search by just searching for flag:authority on atlas. Ignore the entry for Tonga as that appears to be an erroneous entry due to having a bridge hosted on dizum.
I hope that helps somewhat.
-- leeroy
If there are not enough directory authorities online for a consensus, the network will die out as the consensus expires.
If no directory authorities are online, new clients are unable to download an initial list of relays.
If an adversary has control over a majority of directory authorities, they could force a consensus of their liking, for example one that only contains exit nodes they also control. However, this would be noticed by operators of any relays that are no longer in the consensus. 
This question is related: Would distributed denial of service (DDoS) attacks on the directory authorities disrupt the Tor network?
 
     
    