How can Tor use a one hop circuit to a directory server during initial bootstrap?

  • The Tor manual says:

    TunnelDirConns 0|1

    If non-zero, when a directory server we contact supports it, we will build a one-hop circuit and make an encrypted connection via its ORPort. (Default: 1)

    Tor connects to a directory server to get a list of Tor relays in the first place. When Tor is started for the first time, how does Tor know which relay could be used to connect to a directory server?

  • Tor ships with a list of directory authorities and some information about them.

    In particular, this information includes for each authority its IP address, onion port and onion key fingerprint.

    This makes it possible for clients to make an onion connection to one or more authorities for bootstrapping purposes. It then connects to the authority's DirPort via the onion connection to that authority.

    This so-called tunneled connection doesn't provide anonymity. It only provides confidentiality, i.e. nobody listening on your network can know exactly what you fetched[1]. It also would provide integrity, but the information downloaded is signed anyway.


    [1] Though it's probably not too hard to guess that you're bootstrapping once you know it goes to a Tor node and there's a lot of downloading happening. Still, you can't just filter for "GET /tor/" to block the connection.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM