[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TOR DNSBL - blacklist for Tor servers

On Mon, Jan 24, 2005 at 10:06:17PM +0100, Thomas Sjögren wrote:
> Some EFNET irc-server has started using a Tor blacklist.
> From http://www.sectoor.de/tor.php:

We've been working with Rob (aka lilo) to come up with good answers for
Freenode. He seems intent on not blocking ("klining") Tor nodes from
the Freenode network, so we're off to a good start.

The current approach he's working on is to label all users coming from
Tor nodes as "Tor users", and then each irc channel can decide whether
to block this class of users or not. I think that's reasonable.

The "sectoor" blacklist you mention is particularly troublesome, because
a) it doesn't look at exit policies at all, b) it suggests you block
the entire class C network (x.y.z.*) around each Tor server, and c)
it recommends itself for SMTP blocking even though no Tor node allows
outgoing port 25.

A number of people have been pushing us to make an "official" Tor
blacklist that parses exit policies and is smarter about stuff. For
now I have decided that the Tor project should not do this:

The real answer is to improve the services on the Internet so they stop
assuming that IP addresses equate to humans. Just as the FSF doesn't help
people with proprietary software, I think we should not help people with
blacklisting Tor nodes based on IP. It's not the right approach. Our
role should be to provide the transport, be happy that some services
are interested in allowing privacy-minded folks to use the service,
and preach from the rooftops regarding the ones that are scared of it.

So, people are free to cobble together solutions based on blacklists
if they prefer that route to fixing their security assumptions. But the
Tor project isn't going to do it for them.