[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal: Stop giving Exit flags when only unencrypted traffic can exit



Hi Tim,

Thanks for your comments! Appreciated as always :-)



Op 05/01/16 om 02:15 schreef Tim Wilson-Brown - teor:
> 
>> On 5 Jan 2016, at 11:29, Tom van der Woerdt <info@xxxxxxx
>> <mailto:info@xxxxxxx>> wrote:
>> ...
>> 2.1. Exit flagging
>>
>>  By replacing the port 6667 (IRC) entry with a port 5222 (XMPP) entry,
>> Exit
>>  flags can no longer be assigned to relays that exit only to unencrypted
>>  ports.
> 
> One consequence of this proposal is that relays that only exit to 443
> and 6667 will lose the Exit flag.
> But these relays do exit to an encrypted port, so this somewhat
> contradicts the goal of the proposal:
> "Exit flags can no longer be assigned to relays that exit only to
> unencrypted ports."

(Sorry for the huge Perl oneliner -- it's a consensus parser...)

$ curl -q http://128.31.0.34:9131/tor/status-vote/current/consensus
2>/dev/null | perl -nle' @l= split /\s/, $_; if ($l[0] eq "r") { if ($r)
{ if (grep { "Exit" eq $_ } @{$r->{s}//[]}) { my @ports= split ",",
$r->{p}[2]; @ports= map { $_ =~ /(\d+)\-(\d+)/ ? eval("$1..$2") : $_ }
@ports; my %p= map { $_ => 1 } @ports; if ($p{443} && !$p{80} &&
$p{6667} && !$p{5222}) { print "$r->{r}[1] $r->{w}[1]"; } } } push @r,
$r={} } $r->{$l[0]}= [@l];'

(tlcr: any relay that currently holds an Exit flag and allows exiting to
443 and 6667, but not 80 or 5222.)

tiggersWeltTor1 Bandwidth=2600
smallegyptrela01 Bandwidth=22

These two relays will be impacted, indeed.

> 
> Why not make the rule: "at least one of 80/6667, and at least one of
> 443/5222".

Also sounds good to me. I opted for the smallest possible change
(6667->5222) but what you're suggesting lgtm.

> 
> I am also concerned about the choice of XMMP "because the XMPP protocol
> is slowly gaining popularity within the
>  communities on the internet".
> Shouldn't we focus on secure protocols that are widely used right now?
> 
> Alternately, we could add other widely used SSL ports in addition to
> XMMP, and perhaps increase the rule to "at least two SSL ports".

Imho the challenge is in finding port number(s) that accurately reflect
what Tor is for, while also having a sufficiently large user base for it
to be relevant. XMPP probably has more users than IRC, and is a good
match for what I think Tor would consider important (communication).
Also note that we now have Tor Messenger. Other protocols (SSH, IMAP,
POP3, SMTP) are indeed more popular but I feel that those less reflect
the goals of the project, and they are certainly abused more.

> 
> Tim
> 
> Tim Wilson-Brown (teor)
> 
> teor2345 at gmail dot com
> PGP 968F094B
> 
> teor at blah dot im
> OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
> 
> 
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev