[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: reconsidering default exit policy
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: reconsidering default exit policy
- From: Joel Franusic <jfranusic@xxxxxxxxx>
- Date: Wed, 6 Apr 2005 15:39:58 -0700
- Delivered-to: archiver@seul.org
- Delivered-to: or-talk-outgoing@seul.org
- Delivered-to: or-talk@seul.org
- Delivery-date: Wed, 06 Apr 2005 18:40:44 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=QZnfjMcL+Fw3lllhHPwzFRokbE77eL2esYyk8ysUHA6OETg4WQzcqsATjekWqUxjNFUca2tsjPfIcudTLj2vyFeqKKKfNslbeuI+7EKRcrOC1H0qorIJ2e3Ax2naJZmgdAiCe/RNmQcOR/WGud6KTzhfUZBVXYBdwHQYEuPUisg=
- In-reply-to: <20050406153717.C2564@moria.mit.edu>
- References: <20050310225243.GA16598@eecs.harvard.edu> <42316CC4.3080102@pobox.com> <20050311110825.GA9910@tofu.mamane.lu> <20050311142943.GA21617@eecs.harvard.edu> <4231B456.1010006@pobox.com> <20050311194453.GN28567@eff.org> <20050311202453.GA22908@csail.mit.edu> <p05210605be5a4ac18157@localhost.> <20050406153717.C2564@moria.mit.edu>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
On Apr 6, 2005 12:37 PM, Roger Dingledine <arma@xxxxxxx> wrote:
> On Sun, Mar 13, 2005 at 01:14:06PM -0700, Richard Johnson wrote:
> > Thus, instead of an ideologically pure 'allow everything we possibly can'
> > stance right now (with which I agree in principle), perhaps the default
> > exit policy should be tailored to minimizing shock and surprise when
> > higher-ups find out that someone is running a tor exit node.
> >
> > Being more restrictive at the start may help maintain a more robust tor
> > network. That kind of strategy can give us more time and chances to
> > convince people net-wide that IP-address-as-authenticator is no more useful
> > than CNID-as-authenticator. The end goal of an open tor network can be
> > served, but more robustly.
>
> I used to take the "later, when we're farther along, we'll do foo"
> approach, but I find the best way to get farther along is to act like
> we already are there. There's no time like the present to live in the
> world we want to live in.
>
> I've heard from several Tor operators who are happy to run the default
> exit policy -- whatever it is. When I suggest that they configure their
> server to be more permissive than the default (e.g. accepting port 119),
> they say they'd be happy to, as soon as I make that the default.
>
> So I think if our goal is to have lots of nodes allowing port 80, we can
> choose between having it off by default (and only having the people who
> explicitly choose to enable it), or having it on by default (and having
> everybody who can keep it that way).
>
> On the theory that allowing exits from Tor is not breaking any laws
> (see EFF's Tor legal faq), I'm going to go with the exit policy that
> Geoff proposed for 0.1.0.x. If we always think defensively, we will
> continue to always think defensively.
>
> But, I agree that having a comment in the torrc will be very useful.
> So I've added a comment to the ExitPolicy section of the torrc:
>
> ## A comma-separated list of exit policies. They're considered first
> ## to last, and the first match wins. If you want to *replace*
> ## the default exit policy, end this with either a reject *:* or an
> ## accept *:*. Otherwise, you're *augmenting* (prepending to) the
> ## default exit policy. Leave commented to just use the default, which is
> ## available in the man page or at http://tor.eff.org/documentation.html
> ##
> ## Look at http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Abuse
> ## for issues you might encounter if you use the default exit policy.
> ##
> #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
> #ExitPolicy accept *:119 # accept nntp as well as default exit policy
> #ExitPolicy reject *:* # middleman only -- no exits allowed
>
> Does that sound like a good compromise?
> --Roger
>
>
Best compromise I've seen in this thread yet. I like it.