Roger Dingledine wrote:
On Fri, Jun 12, 2009 at 03:51:25PM -0700, Kyle Williams wrote:I think "snooping" and "statistical information" should be treated differently. Take Scott's case here. He is making a claim that by using the exit policy outlined above, it would reduce the amount of traffic on tor by 70% or whatever. What I would like to see proof of is that the IP addresses that are now being blocked are NOT running a WHOIS services. How do we know for sure that they are not in fact a valid WHOIS service?I would also be curious to learn the mean/median number of bytes that a given connection to port 43 takes. If it's a tiny amount, then it probably isn't responsible for 70% of Tor's traffic. If it's huge, then perhaps that means people are file-sharing over port 43.
IMHO its unlikely that file sharers are ALL using port 43... you are more likely to see a wide spread of ports with high usage. I've found that sharers are not savvy enough to all pick port 43 because its more likely to be open. When I file share over TOR (once or twice a year max., to get seeding started, anonymously) I pick no particular port. Without a large anonymous Pron provider operating over TOR, its more likely that a very large organization (military - intell) has its own software communicating over TOR (hidden in ordinary port 43 "cover" traffic) on port 43. Obviously, this would be a globally distributed operation. Say... the US Mil&Intel. Of course, if its existence were discovered they would need to put up some sort of smokescreen, pointing the finger in the wrong direction, so to speak.
Of course... it could all be regular WHOIS traffic, as cover traffic, or just genuine. Maybe someone (MIL/GOV) has their own local WHOIS copy which is updated via TOR (??).
A little bloodhounding the port 43 IP addresses/domains would go a long way to seeing if they were at least all or mainly genuine WHOIS requests.
snip..
--Roger