Thus spake tor@xxxxxxxxxxxxxxxxxx (tor@xxxxxxxxxxxxxxxxxx): > > But don't worry, at some point Mr. Blow et al will realize that their > > packet captures stopped grabbing passwords and are only seeing > > encrypted middle and guard node traffic. They'll probably show up > > then, proclaiming their innocence from the rooftops, demanding they be > > allowed to "help" the network. > > The above may or may not be true. Would be nice to see some evidence. Or > at least some evidence of somebody trying to find the truth. The truth here is that these nodes are not behaving in a way that encourages trust in their usage. All we ask is that they adjust their exit policies to allow encryption, but there is no way to ask them this, so they are badexited until such time as there is a way to communicate with them. They will remain valid middle and guard nodes until they rekey with policy supporting encryption (and the Exit flag). > > But do feel free to spend your time going above and beyond, trying to > > track our 4 heroes down before then. I'm sure they're well worth your > > time and effort to outreach. Pick a nice Saturday afternoon and spend > > it calling ISPs and NOCs trying frantically to get in touch with our > > unjustly punished martyrs here... Heck, take a day off work! > > Do you find that being condescending is a good way to get people to > agree with you? I tend to find it fosters disrespect. You're right. I apologize for my tone to you. I am merely frustrated with the amount of mental energy devoted to what so plainly appears to me as a simple policy: If you carry the unencrypted version of the service, you should carry the encrypted version. I am just getting frustrated with the length of this thread and still the lack of any valid, rational reason why this policy itself is an unjust one. It seems pretty plain to me that we're actually worried about offending the sensibilities of people who for some unknown (but rationally obvious) reason refuse to carry encrypted exit traffic. So the idea that we should devote yet more effort to catering to people whose motivations are extremely suspect (and who seemingly have no real interest in being members of our community) is causing me to balk. > >> Exit bandwidth is a scarce and valuable resource, and should be treated > >> as such. > > > > It's not true exit bandwidth here. It's janky bandwidth with lots of > > bad properties, such as the tendency to break mixed-mode websites as > > Curious Kid pointed out, and the load balancing issues I mentioned. We > > should do the same for all http-but-not-https exits for this reason. > > If exiting port 80 but not port 443 causes problems for Tor, then Tor > should be updated so you can't offer one without the other. This is a > problem with Tor, not with Tor exit operators. Sure. Perhaps we will include such a patch as part of https://trac.torproject.org/projects/tor/ticket/2395. Or, perhaps it will just be a second-order effect that means you're just not used as often because you're not a true Exit (which is already the case for these nodes to some extent). But again, I think this is more of a long-term idea. In the meantime, we can enforce this policy with code on the exit scanning end, by emailing everyone with valid contact info who exits to 80 but not 443, to start (as that is the most obviously broken case). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgputG0AB0yFu.pgp
Description: PGP signature