[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Traffic routed through Sweden

Hash: SHA256

M wrote:
> First of all, some informationa about the situation:
> http://frapedia.se/wiki/Information_in_English
> I'm running two nodes in Finland, very restricted exit poliecies
> (googles ip's, scroogle, https, pops and imaps allowed).
> Circa 90% of traffic originating from Finland and going outside of
> Finland is routed through Sweden (that bites a lot).
> As Swedish FRA is listening, logging, building "sosiograms" and trying
> to decrypt all traffic going through their borders should I be worried
> about my exit nodes? Should I do something about exit-policies?
> Encryption does protect the data but it does not protect from tracking
> who is in connection with who. As I run exit-nodes that routes traffic
> about 2Mb/s/2Mb/s - 10Mb/s/10Mb/s and 4Mb/s/4Mb/s I'm getting my fair
> share of tor's traffic. So.. FRA is building a nice file of my ip and
> thinks that everything coming from tor is really traffic originated by me.
> M
> ps: as always, sorry for my bad "fenno-english".

It really depends on whose privacy you're worried about. Allowing exits
only on ports that typically are used with end-to-end encrypted
protocols*, should help limit the amount of information the FRA can
gather; while they can tell what's being accessed, they can't get the
much deeper "psychological" info that could be gathered from content.

I don't think that even with unencrypted traffic, that it would be a
major threat to the anonymity of the clients entering the network
somewhere else** - the main worry, as I see it, would be if they thought
it was from you.

As mentioned before, the best you can do as an exit node (for your own
protection), is to allow ports that tend to be used with encryption.

*: Others have pointed out that many ports which are commonly associated
with encrypted protocols may - in practice - actually be used without
encryption. This can be due to protocols which support either plain or
cipher mode (e.g., Gmail's SMTP on TCP 587), or to deliberate hackery
(e.g., someone could run a standard HTTP server on TCP 443, in order to
get around an ISP block of TCP 80 [although if they're at that level,
I'd figure they'd just use HTTPS for the extra privacy =;o) ]).

(In a manner of speaking, I'm doing repurposing of a port in this manner
- - although Tor uses SSL, I'm using TCP 443 for onion routing, rather
than its "normal" purpose as an HTTPS server.)

**: FWIW and IMHO, I believe that much of the privacy and security of
clients not only has to be, but *should be* left to them. Stopping
Darwin and bottle-feeding those with inferior skills and/or capacity
only drags down the human race. Those who can, will learn; those who
cannot, will suffer the consequences.

- --
F. Fox
AAS, CompTIA A+/Network+/Security+
Owner of Tor node "kitsune"
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org