[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Tor bug?: AllowInvalidNodes
Let us say we did verify people within X miles of us... what would be
the protocol? What keeps me from meeting the respresentative of an
evil agent dressed as John Q Public?
Wednesday, August 16, 2006, 5:00:47 PM, you wrote:
> On Wed, Aug 16, 2006 at 08:59:12PM +0000, crackedactor@xxxxxxxxxxx wrote:
>> On Wed, Aug 16, 2006 Nick Mathewson wrote:
>> >It works. It just doesn't mean what you thought.
>> You obviously didnt read Arrakistor 16 August 2006 00:44 Tor bug?: AllowInvalidNodes
>> who wrote
>> "Roger, Nick, et al,
>> Tor *.23
>> AllowInvalidNodes seems to having a problem. We've tried a few versions,
>> including the deprecated AllowUnverifiedNodes to no avail. However the
>> exit node of the circuit is still often invalid according to
> See Roger's message, which you quote below:
> > The exit.pl script that Geoff wrote and runs on Serifos uses the
> > phrase "not a valid Tor server" to mean "not a Tor server as far
> > as I know".
> This is the serifos script that Roger is talking about. It lists IP
> addresses as "invalid" if they are not the IP of a tor server it
> knows. Some "valid" (according to the directory authorities) Tor
> servers exit on IPs that are not the same as the IP they listen on.
> This means that the IP they exit on will not appear on serifos's list
> of valid nodes.
>> >> Now I find out that it was never intended to work and that it was
>> >> never an "AllowUnverifiedNodes" replacement.
>> >Sure it was. "Unverified" and "Invalid" are the same concept:
>> >'attested to as likely to be okay by the directory server.' The only
>> >that has changed is the name.
>> Did you read Roger Dingledine 16 Aug 2006 13:42:17 -0400 Re: Tor bug?: AllowInvalidNodes
>> who wrote (short version):
>> "The fundamental confusion here is that the word 'invalid' means many
>> things to many people, but it means pretty much nothing to Tor. The
>> exit.pl script that Geoff wrote and runs on Serifos uses the phrase "not
>> a valid Tor server" to mean "not a Tor server as far as I know". The
>> word "valid" with respect to the AllowInvalidNodes config option is
>> simply defined as "not manually designed by the directory authorities
>> as invalid".
>> Are you argueing with this definition of INVALID as opposed to the
>> original "Unverified" definition? Or are you now informing us that
>> for some whole now the term "unverified" has always mbeen
>> meaningless? if so for how long has this been so?)
> Hm? No, they both meant "attested to as likely to be ok". In the old
> days, directory authorities attested to servers as ok when they admins
> told them to, and the admins told them to as they got mail claiming to
> be from server admins. We thought that this was a bad idea and
> created a false sense of security. Now, directory authorities attest
> to servers as ok when the servers seem to be running, and the admins
> have not told them to consider the servers suspicious.
> The version 2 directory specification came into use during the Tor
> 0.1.1.x series, says:
> "Valid" -- a router is 'Valid' if it seems to have been running
> well for a while, and is running a version of Tor not known to be
> broken, and the directory authority has not blacklisted it as
>> >Because "Verified" was a stupid name. It implied that we had a good
>> >way to go out and tell whether a node's operator was honest, upright,
>> >and competent, and whether the node was physically secure and
>> It implied you at least knew who they said they were (not that you
>> knew they were what they said).
> Though that's what it meant in practice, that's not the interpretation
> of "verified" that I'd have made. Moreover, it's not IMO a useful
> property to have. Knowing who the adversary claims to be is only
> effective against an adversary who can't or won't lie about who they
>> >If you know a way to do this, please let us know. We're all ears.
>> >Please keep in mind that we haven't got much cash to do this with, and
>> >what cash we do have, we'd rather spend on rent and food and)
>> >developing Tor.
>> You poor penniless, overworked person. Why dont you ask all the
>> VERIFIED TOR operators to VERIFY the new TOR operators, within say
>> 50-100miles (100-200km) of them (or closest one).
>> I'll do 100mile radius (UK) of Portsmouth UK - but only if you "veryify" me.
> It's not a bad idea. Time permitting, a web-of-trust kind of system
> might be neat to do. Of course, we'd need think about what effect
> this will have on route-based partitioning, and on possibly
> discouraging operators from running servers if they need to meet other
> operators face-to-face to do so. And how hard is it really to foil a
> face-to-face meeting? These are neat questions.
> (Please forgive us if someday we eventually start doing this, and pick
> trust seeds in the UK from among people we already know and trust.
> I'm sure you would do the same.)
>> >> If some "unverifiednode" exit server adversary has set themselves up
>> >> in business of monitoring TOR users then isnt it because
>> >> "AllowUnverifiedNodes" was removed (effectively).
>> >Right, you're confirming that we were right to change "Verified" to
>> >"Valid". Apparently, you *did* think that "verified" was a magicial
>> >stamp of good intentions.
>> Well darling that is what it said... no?
> Sorry, I don't think it ever said it was a magical stamp of good
> intentions. If we said that, that was a stupid thing for us to say,
> and I'm glad we changed it.
>> >> Personally, I think its irrelevant today, that at one time persons
>> >> had to be known personally to run a verified server. Quaint but
>> >> irrelevant. But hey, I dont mind having someone round to my place
>> >> from the UK to verify me. Why not have 3 levels of security - level
>> >> 2 - Registered - just what we have now. Level 1 - Verified - visit
>> >> their setup. Level 3 - unregistered & unverified. And give us a
>> >> config statement to use these levels or not.
>> >Dude, we're not going to impose a worldwide server auditing system.
>> >We're not going to visit server operators' houses. Even if it did,
>> >what would it prove? Any organization could set up servers in a bunch
>> >of its members' houses. Are we supposed to do background checks?
>> Chikita, you really must put your thinking cap on and stop ignoring
>> the obvious. I said..
> ITYM "chiquita", but I am not a little girl.
>> Level 2 - registered - eg those that register their server name,
>> provide their real name and address. Do a web credit check - simple
>> and cheap. Get them to donate a COUPLE OF DOLLARS FOR THAT. Just
>> send them a registration code in the post to their credit card
>> address - the one they donated with and the address they gave for
>> it. Of course they can still forge this - but would they? With lots
>> of servers?
>> Level 1 - verified - eg a visit from a VERIFIED operator after
>> provision (copies) of household bills, local tax statement, or
>> identification of company or org if an org, isp verification. Once
>> again, of course they can still forge this darling - but would they?
>> With lots of servers?
>> You could even sub-level the Levels with a safety value.
> Wow. In my opinion, this would be tons of effort, would not pay for
> itself, would turn operators away, would create a risk of information
> leakage leading to identity theft, and would still be easy for
> governments and nefarious organizations to subvert. (Your security
> model above seems based on the idea that the attacker can do things,
> but wouldn't think it was worth the resources. I worry that the
> resource cost on server operators would also discourage them from
> running good nodes.)
> I realize that I could be wrong here; I'm just pointing out that this
> is not a trivial idea, and it's not an obviously unalloyed win.
>> >> On a related issue, I have attempted to the "ExcludeNodes" config
>> >> and it doesnt seem to work. I am sure that of the dozens of nodes
>> >> I've tried to exclude (and failed to exclude - test only) ALL of
>> >> them cannot be my "guard" nodes. Ok this might only be winOS,
>> >> perhaps everyone should check it out for themselves. Just to be
>> >> sure. I've noticed others have seen similar. Re-check.
>> >ExcludeNodes *is* supposed to work. If it doesn't, submit a bug
>> >report. Warning! You will need to describe *exactly* what you did,
>> >and *exactly* what Tor did in response. Logs will help. This is too
>> >hard for many people.
>> Well hey thankyou for the advice. Without Vidalia working on Win2k
>> i'm stuffed, buit then you knew that didnt you.
> No, I'm afraid I didn't know that; I genuinely would like this feature
> to work. If vidalia isn't working for you, you could possibly try
> editing your torrc? No pressure; I don't mean for this to be any kind
> of accusation or anything. Just... if you want us to fix something
> that seems to work for us, we need information on how it's broken.
>> >frustratedly yrs,
>> I believe you. Its always frustrating when people start asking
>> questions about subjects you would really like swept under the
>> carpet and forgotten.
>> Just remember to answer them with politeness and integrity. And you
>> wont go far wrong. If not you might be mistaken for a dictatorial
>> pleb with an axe to grind.
> My apologies for my unprovoked rudeness. I like to think of free
> software as a darwinian meritocracy rather than a dictatorship, and
> would certainly hope that if Roger and I do a bad job as developers,
> the community will realize this, try to talk us info doing something
> sensible, fork Tor if we don't, and stop us from harming the world any
> But seriously, we're trying to do our best here.