[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Safe destinations

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Safe destinations
From: Gregory Maxwell <gmaxwell@xxxxxxxxx>
Date: Sat, 4 Jul 2009 15:35:38 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sat, 04 Jul 2009 15:43:38 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=3H2tYLCoFQ3GrLkhgUa9eQlhTiY6CwwEJAy8IOq0mq8=; b=xC+udPrSq1A3qabA48sIr1ktOsgEr44iJK6Tafu3NxB35fmsoLA80XaYu7kyEZcSoB l8JAzPlYtuMYUhBEq1dhFBOg7vfZhF2AzXqQMPf73bhkzoYSfRTup1+5fqDB9T1k0vQZ f3VDpoU9sLYfjKrlPELWgdsd4mGpYObP3dYlo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=rBAYF9yg4Za8QQFLWzZum99VFmhi5uMrwnQUA3A5edU6XyGQghLA3jRTmm1C4rKDv6 ZInmKltx2i2YS3KsagIW0qYUP7lDQ/QzDJoo2rMRUqSnyV6Aaof9jP1WaAhIL76OPTMb pLnz1mBv7DxEE+dIaNTSvrLBCxGE33bH4z/NI=
In-reply-to: <4A4FA78A.2020402@xxxxxxxxxx>
References: <e692861c0907022012y296551e9h1a7691141f335dae@xxxxxxxxxxxxxx> <20090703123415.GA28866@xxxxxxxxxxxxxxxxxxx> <4A4FA78A.2020402@xxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Sat, Jul 4, 2009 at 3:03 PM, Peter Hultqvist<phq@xxxxxxxxxx> wrote:
> The forward DNS is problematic since they can be spoofed by pointing any
> domain to a server that does not belong to one. Second, I believe that
> ptr lookup is very limited but I'm not that knowledgeable in that area.
>
> One way could be to given an IP do an reverse lookup, take that domain,
> add _toraccept and do a forward dns lookup at suggested above.

So, I don't know that opt it will either map well enough to the set of
sites that won't be problematic for tor exit operators nor do I think
such adoption would be widespread enough to provide a real increase in
effective exit bandwidth.  If the safe list doesn't include some of
the highest bandwidth sites then its introduction (in whatever form)
would probably decrease the available "can reach anything" exit
capacity.

I think some of the most many safe destinations are sites which are
old, inactive, and generally not likely to add some tor permission,
though having a way for sites to opt-in would also be useful.

Though if a site operator wants to facilitate tor they can run an exit
enclave i.e. run a node which only exits to themselves and tor will
use it preferentially. I don't think the importance of this technique
for increasing TOR's performance for your users can be overstated:
It's the only technique which prevents exit shenanigans for unsecured
protocols. (And separately, this is a functionality which should be
improved so that people do not feel forced to use hidden services to
get this functionality)

An interesting thing I've seen mentioned a few times in the thread is
webmail services. Are these really safe exit locations, or is law
enforcement going to come seize your node after the first dimwit sends
a bomb threat via your node and yahoo mail?  My thinking was primarily
around service which were read only or nearly so or at least where any
writing is among friends.

References:
- Safe destinations
  - From: Gregory Maxwell
- Re: Safe destinations
  - From: Drake Wilson
- Re: Safe destinations
  - From: Peter Hultqvist

Prev by Author: Safe destinations
Next by Author: Re: Yahoo Mail and Tor
Previous by thread: Re: Safe destinations
Next by thread: Re: Safe destinations
Index(es):
- Author
- Thread