Use the shared random value in the consensus for the random seed

[teor2345]

Using the hash of the consensus means that authorities, and possibly relays, can manipulate the hash.

[aagbsn]

Are you referring to @david415 's ProbeAll2HopCircuits scanner? I think the hashed consensus is hashed again with a local secret - I'm not sure how the authorities/relays can influence the output here...

[teor2345]

Are you referring to @david415 's ProbeAll2HopCircuits scanner?

I'm referring to any code that assumes the consensus hash is appropriate to use as a secure random seed.

I think the hashed consensus is hashed again with a local secret - I'm not sure how the authorities/relays can influence the output here...

The authorities can manipulate the consensus hash by changing their votes. This gives them an extraordinary degree of freedom: they have 5 minutes every hour to try as many votes as they want. Relays can manipulate it by changing their descriptors. They have some degrees of freedom in their nickname and other data. Since the bandwidth scanner's behaviour is publicly observable, the local secret is irrelevant: the adversary can simply manipulate the hash until it obtains the behaviour it wants. There was a thread about these kinds of attacks on tor-dev a few years ago. I can't find it right now. But OnionNS originally had a similar design, and it was changed due to this attack: https://lists.torproject.org/pipermail/tor-dev/2015-May/008826.html Use the shared random value in the consensus. It is designed to be a secure, publicly available, shared random value. Every authority can only choose between two alternate values: the value if it reveals, and the value if it doesn't. Please, use the value that was made for this purpose. If you want extra security, hash it with a distinguishing prefix. If you want uniqueness, hash it with a private secret.

[aagbsn]

Thanks for the explanation. I think this should be a fairly simple fix but requires refactoring @david415's unit tests because they currently mock out txtorcon's TorState and don't seem to support GETINFO. I've pushed a branch https://github.com/TheTorProject/bwscanner/tree/56_used_shared_random_for_seed to track this issue.