Overview
- CGO aims to mitigate tagging attacks and strengthen forward secrecy, addressing long‑known weaknesses in the tor1 relay scheme.
- The design uses a pseudorandom permutation built from UIV+, adds tag chaining across cells, and makes altered traffic unrecoverable.
- A 16‑byte authenticator replaces tor1’s 4‑byte SHA‑1 digest, removing SHA‑1 from relay encryption and improving tamper detection.
- Implementation is underway in Arti and the C Tor codebase, with CGO available in Arti as experimental and no default‑enable timeline provided.
- Support for onion services is in progress with Arti expected to gain it first, and the Tor Project is inviting external review ahead of a network‑wide rollout.