[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Ideal Tor Server & ExitNode?



lkjklj lkjlkj writes:

> 1. That more traffic on a givin node (to a point) increases the
> anonymity of the Tor node? 

I'm not sure what you mean. The Tor server is not in any sense 
anonymous.

It is true that the more traffic and the more types of traffic there are
on the network, the better protected all Tor users are. Whether that has
any meaning vis-a-vis a single particular node, I don't know.

> 2. The closer a node is to it's bandwith limit the more traffic
> analysis data via. meta-data is avaible to an advasary? 

I don't think directly, but CPU utilization on a Tor server is largely a
function of the amount of bandwidth the server passes. There are
indications that traffic analysis may be easier (the timing of packets
is more predictable) when a server's CPU is heavily loaded.

So get more CPU power than you think you need. :)

> If I understand the issues of Tor correctly, having dedicated nodes
> with high bandwith will increase the anonymity/security of the
> network.

At the very least, open exit policies on high-capacity machines make the 
network more usable, and usability enables us to have more users, which 
results in more and more varied traffic, which increases anonymity.

> 1. How much bandwith? 

I don't think we're at the point yet where we want to set limits. There 
is the potential that a high-capacity node might get more traffic, and 
thus if that node is compromised (from the point of view of a particular 
user), then it's a greater risk than it would otherwise be. But we're 
still in experimental mode, and capacity and debugging opportunities are 
welcomed.

> 2. What kind of Exit Policy? (I was concidering a soft exit policy)

The default exit policy is good.

> 3. Should the Pageing file be encrypted or disabled (with enough RAM
> of course)?

You should encrypt or disable swap for all sorts of reasons, besides 
just Tor. So, yes.

> 4. If logs are required how long should they be?

Logs are used for tracking bugs and ensuring correct operation. I think 
you can set a relatively short window for your logs, like maybe a week 
or less. Also, log at the default level, increasing verbosity only if 
you are actually investigating a problem. Decreasing log verbosity might 
be a good idea, but since Tor is still experimental, it might help most 
at this time to stick to the default verbosity level.

> 5. What country would be ideal in regards to server anonymity and
> regualtions [logging, etc]?

No idea.

> 6. Required operations for security/anonymity of server? (Encryption
> of various files/logs/etc)

Host integrity is critical, and you can best ensure that by using a safe
OS (let me know if you find one...) with minimal services enabled. 
Ideally, you'd run nothing but Tor, but realistically you'll probably
also want SSH for administration. But be sure to configure SSH in as
paranoid a manner as is possible for you (allow connections from certain
IPs, allow only certain users, disallow remote root logins, don't use
sudo or use a VERY careful sudo configuration, and so on).

Tor itself should not generate or keep any sensitive information in
non-volatile storage. Not having any non-volatile storage at all is
obviously great if you can do it (e.g. boot from a CDROM that launches
Tor, have no hard drive).

It would be great to have a machine with no writable non-volatile
storage, which runs only Tor and not SSH. Rebooting in case of trouble
would be acheived by one of those remotely-controllable power strips
and/or by physical access. There is the question of logging. Maybe a 
loghost, which the Tor server connects to by tunnelling syslog over UDP 
over TCP over TLS...


-- 
http://www.eff.org/about/staff/#chris_palmer

Attachment: pgpXsEUDo3AfX.pgp
Description: PGP signature