Re: [tor-relays] Reminder: don't run transparent proxies at exits

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: [tor-relays] Reminder: don't run transparent proxies at exits

Date: Mon, 12 Jan 2015 18:01:20 +1100

Delivery-date: Mon, 12 Jan 2015 02:01:32 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:from:content-type:in-reply-to:message-id:date:to :content-transfer-encoding:mime-version; bh=gaV1JfWRSr0eluK+NclnsMpAL2DFcLgXJUst9OyvJj8=; b=Fq5BvcWHvBG1GQXW/XmOD3EatQ8BR8qxXffVoT2/jcYzXURLVZzuizpx2Si7PLtyJP CHIkFhSWT2qlm7xY5x7WL34HPJz83mqhICXto8W100uuAP3eCYZOQlL/2924beb3VxaI PSa5q800JHKkmZFDs04I7tcOEx/wbGBIKAupvq2aV6/UkOm5Ko3RF7AfdOokiD8G6Ofv JgauDflxIvv6kaGdx7S2GaAOlg2BEt9CDuKbNstn9I1EGPw/68P6G6AX/pUhyVEX2utt fXwrBrVoeWfv1hMp4xwYlO/3caMadQm0Qwlc0dT33L9JUMDcycEj3Xhq4kuF0Ld+X9OB ffRw==

In-reply-to: <mailman.101.1421042702.2713.tor-relays@xxxxxxxxxxxxxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <mailman.101.1421042702.2713.tor-relays@xxxxxxxxxxxxxxxxxxxx>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Date: Mon, 12 Jan 2015 01:04:58 -0500

From: grarpamp <grarpamp@xxxxxxxxx>
To: tor-relays@xxxxxxxxxxxxxxxxxxxx

On Fri, Jan 9, 2015 at 10:26 PM, Drake Wilson <drake@xxxxxxxxxxxxxx> wrote:
eric gisse wrote:
Plus the logic starts to get warped when you wonder "So do you BadExit
every node that runs on an ISP that caches traffic?"

<snip>

As far as http caching, it would be relatively fine IF the cache
truly did good practice, and IF the site truly did good design
for the cache to follow. However those two necessary truths
are often false, whether by AND or XOR context. So to be
true, a cache shouldn't be deployed, but in the interest of
bandwidth they are, more commonly at small end-tier user
access ISPs (including exits) for that purpose.

I'd suggest best practice is for
- users to use https to bypass
- caches to insert their tagline in http headers so
users can bitch to the owner.
- Tor exits? Well, they're volunteer paid diversity, so which is
more valuable to you? The IF's above, or TCP truth at
potential cost to diversity?

I prefer TCP truth, but if I was a constrained operator
I'd do my best research into setting up a quality cache.
Provided caching images of ill repute on disk were not
an overriding concern.

<snip>

I can imagine two strategies to avoid caching images on-disk:

1. Use an in-memory cache

2. Don't cache images

While these strategies might not technically/legally offer much more protection (IANAL):

1. If the cache disappears as soon as the machine shuts down, it's much harder to prove the possession of anything illegal. (However, the proxy headers, live imaging, or an insecure/subverted server might give away what was being cached.)

2. And if images aren't being cached, while textual material could still be illegal, it's less likely to be specifically targeted by law enforcement.

In my opinion, if you use HTTP over the internet, you are essentially consenting to caching, inspection, or worse. And most people know that by now.

And if you use HTTP over Tor, you should be much more aware of this.

teor

teor2345 at gmail dot com
pgp 0xABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR C3C57B23 349825DE 929A1DEF C3531C25 A32287ED

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays