Tor’s directory protocol suffers from an equivocation vulnerability: a single compromised authority can silently generate a valid consensus document containing malicious relays, enabling undetectable client hijacking and rendering historical archives incapable of refuting the attack. This work formally models the problem as a distributed interactive consistency (IC) challenge. We propose a two-tier defense: (1) TorEq, a lightweight, non-intrusive real-time monitor that detects equivocation within five minutes; and (2) DirCast, the first Byzantine fault-tolerant broadcast protocol optimized for Tor’s architecture—requiring only 5–9 communication rounds and enabling nine authorities to securely produce over 500 consensus documents per hour. Both components are fully compatible with Tor’s existing codebase and have been co-developed with the Tor Security Team for integration.

The Tor network enhances clients’ privacy by routing traffic through an overlay network of volunteered intermediate relays. Tor employs a distributed protocol among nine hard-coded Directory Authority (DA) servers to securely disseminate information about these relays to produce a new consensus document every hour. With a straightforward voting mechanism to ensure consistency, the protocol is expected to be secure even when a minority of those authorities get compromised. However, the current consensus protocol is flawed: it allows an equivocation attack that enables only a single compromised authority to create a valid consensus document with malicious relays. Importantly the vulnerability is not innocuous: We demonstrate that the compromised authority can effectively trick a targeted client into using the equivocated consensus document in an undetectable manner. Moreover, even if we have archived Tor consensus documents available since its beginning, we cannot be sure that no client was ever tricked.We propose a two-stage solution to deal with this exploit. In the short term, we have developed and deployed TorEq, a monitor to detect such exploits reactively: the Tor clients can refer to the monitor before updating the consensus to ensure no equivocation. To solve the problem proactively, we first define the Tor DA consensus problem as the interactive consistency (IC) problem from the distributed computing literature. We then design DirCast, a novel secure Byzantine Broadcast protocol that requires minimal code change from the current Tor DA code base. Our protocol has near-optimal efficiency that uses optimistically five rounds and at most nine rounds to reach an agreement in the current nine-authority system. Our solutions are practical: our performance analysis shows that our monitor can detect equivocations without changing the authorities’ code in five minutes; the secure IC protocol can generate up to 500 consensus documents per hour in a real-world scenario. We are communicating with the Tor security team to incorporate the solutions into the Tor project.