[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Are "StrictNodes 1" actually strict?



On Wed, Jan 29, 2020 at 02:45:01PM -0000, mimble9@xxxxxxxxxxxxx wrote:
> I have StrictNodes 1 and ExitNodes hands in my torrc.
> 
> However, when using TBB, I discovered that I was often using other exit
> nodes. Clicking "New Circuit for this site" then placed hands back as the
> exit node.
> 
> Any ideas why? Just the one exit node in the torrc.
> 
> This suggests to me that StrictNodes are not 100% strict.

Check out the man page, where it says "StrictNodes does not apply to
ExcludeExitNodes, ExitNodes, MiddleNodes, or MapAddress."

So you shouldn't be setting StrictNodes for this case. Maybe you are
using a super old guide found somewhere on the internet? :) More info
from when we made the change back in 2011:
https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.2.5#n17216

That said, ExitNodes should work. My guess is that you're visiting a
Cloudflare site, which is giving your Tor Browser an alt-svc header,
which sends the browser to load the site via one of Cloudflare's onion
addresses. And since onion services don't have the concept of "exiting",
then your Tor feels no need to end that circuit with your specified
ExitNode.

*That* said, there are some bugs with how Tor Browser visualizes your
circuit when alt-svc is in use:
https://bugs.torproject.org/27590
and it looks like the browser might be inconsistent about whether it
actually uses the alt-svc destinations, which could explain your getting
your exit relay every so often:
https://bugs.torproject.org/27502

Best plan would be to pick a really simple non-CDN'ed single-address
domain, like freehaven.net, and try to recreate your issue there.

--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk