[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Is "gatereloaded" a Bad Exit?

On 02/22/2011 01:52 AM, Scott Bennett wrote:
>      On Mon, 14 Feb 2011 14:17:45 -0500 "Aplin, Justin M" <jmaplin@xxxxxxx>
> wrote:
>> Although I've been keeping out of this argument for the most part, and 
>> even though I'm leaning towards seeing things Mike's way, I just wanted 
>> to comment that I've actually been in an environment like this several 
>> times, once at my previous university, and once working for a local 
>> government organization. As asinine as such reasoning is on the part of 
>> the network administrator (or the person who signs their checks), I can 
>> see why the *ability* to run strange exit policies could be a good 
>> thing, and should be preserved in the software.
>      Not only that, but Mike's threat to force unencrypted ports to be
> paired with encrypted ports in exit policies would defeat those of us who
> might well be willing to allow encrypted exits but not unencrypted exits,
> say, for hassle-prevention reasons.  Until I ran afoul of Comcast's bait-
> and-switch marketing, I used to allow exiting on 443, but restricted exiting
> on 80 to a limited list of destinations that I felt reasonably sure would
> not cause me grief.  Mike's policy would reduce the supply of exit nodes
> offering 443 and possibly other encrypted ports.

I have been virtually unplugged when this discussion was fresh, but
after reading back over a few comments, I think you touch upon my
problem with this.... a local network admin knows his network better
than anyone else... and he may have a damned good reason for blocking or
allowing any given port.

It is even possible that someone might run tor in lieu of encrypted
services, I know I went and made sure that the whole trick of getting
end-to-end encryption by having a node ON the target hosts worked for me.

Honestly, even if we assume the worst, that the point of such an exit
policy can only be to corral unencrypted traffic to mine.... I have to
wonder, how is that so much worst than the situation anywhere else? Any
exit node could be sniffing, disallowing "bad actors" from this minor
optimization will not stop them (they will just change to put up with
the extra few % increase in traffic). Not just that, any node could be
sniffed without the operator even knowing (via being owned or via an
external device at the ISP or inbetween destinations).

All in all, this seems like a rather flimsy protection.

>> However, I see no reason why providing an anonymous contact email would 
>> be so hard. Certainly if you're going out of your way to avoid [insert 
>> conspiracy of choice] in order to run a node, you have the skills to use 
>> one of the hundreds of free email services out there? I don't think 
>      I see.  Why not separate the contact issue from the exit policy issue
> by simply flagging every exit node lacking contact information as a BadExit?
> Of course, that will require some poor sucker to attempt to review every
> exit's contact information to verify its validity because, at present, one
> can put just about any garbage into the ContactInfo line.  At least that
> would leave operators free to choose whatever exit policy worked for them.
This I feel differently about. I agree, its a different issue. Running a
tor node that is published in the public directory means that traffic
can get sent to you. There are many reasons why other tor users may want
to contact you. If, for example, you were advertising *:80 and your ISP
started blocking *:80 from you (or any other reason that it would stop
working) then, you are causing problems for everyone else trying to use
it... being able to be contacted (if not necessarily personally
identified) seems like a reasonable minimum.

That said, the policy should not be "nodes will be marked" but "nodes
can be marked". Reserve the right to do it, rather than promising that
someone will do it. It should be about keeping the network in good
working order, not enforcing policy for its own sake.

>> asking for a tiny bit of responsibility on the part of exit operators is 
>> too much to ask, and I'm amazed that "allow them to continue to function 
>> as middle nodes until they explain why their node appears broken or 
>> malicious" is continually being turned into some kind of human-rights 
>> violation.
>      That's news to me.  What I saw was a unilateral decision, accompanied
> by a threat of further such decisions, made by a single tor developer in
> contradiction to the tor documentation and a policy/feature selling point
> for running tor exit nodes that is made both in the documentation and on the
> project's web site.  There has already been, you may have noted, a contrary
> opinion posted here by another tor developer.  That means the development
> team did not have a consensus view at the time of that response.  It will be
> interesting to see whether those are the only two factions among the team and,
> in any case, which faction will ultimately prevail.

I am thinking, what if badexits became more like a DNS RBL.... there
could be multiple sources of truth that people could choose to subscribe
to. Maybe, for some reason, I feel the need to avoid exits in some area
(like china), it would allow me to subscribe to the list that tries to
keep chineese exits banned.

Maybe someone could make a little side cash (bitcoins?) doing node
contact verification and publishing a badexits list based on faile
docntact info. Shit...maybe implement a "good exits" for them. Just some
thoughts. No reason that this needs to be overly centralized.

tor-talk mailing list