Re: another reason to keep ExcludeNodes

[Paul Syverson <syverson@xxxxxxxxxxxxxxxx>]

On Tue, Feb 17, 2009 at 02:14:49PM -0500, Praedor Atrebates wrote:
> I'm with Bennett on this.  Taking away ExcludeNodes is essentially taking power and choice from tor users.
> 
> Always always always default towards providing more choice and power
> to users, not less.  In any case, as indicated, reporting bad nodes
> is not exclusive of ExcludeNodes.  ExcludeNodes is effective
> immediately.  Reporting a bad node takes time for a response.  Allow
> us to exclude the nodes we wish to exclude NOW, not after some
> period of time after reporting for something to be done.
> 

I'm not commenting on the specific relative merits of continuing to
support ExcludeNodes, but I do want to strongly reject the principle
of always giving more choice and power to the users.  Whatever its
merits in general, this is a dangerous principle for anonymity
systems. It is easy to allow users to configure their systems in ways
that allow an adversary to uniquely identify them (or at least
dangerously narrow it down). How this can occur is subtle, and it
sometimes surprises the experts. The user (even a fairly savvy user)
has even less chance of grasping what is a safe configuration. For
this reason, we chose Tor design to minimize the number of
configuration choices even when we didn't have specific attacks in
mind. When we thought we had a countervening reason to allow options
we have done it hesitantly and with eyes as open as possible, rather
than doing it as part of a principle we enthusiastically embraced.
This point has been made in numerous published papers over the years,
including the Tor design paper from USENIX Security 2004.

aloha,
Paul