On Nov 8, 2007 3:54 PM, Jacob Appelbaum <
jacob@xxxxxxxxxxxxx> wrote:
Kyle Williams wrote:
>>>
>>> (This requires some changes to the torrc and tor
>>> source, so I'd like to add it to the feature
>>> request list in case somebody has free time)
>
> That would be a hidden service. Tor already does that.
> What we are talking about is secure defaults for exit nodes.
>
> That's a horrible idea. You do NOT want everyone to be able to anonymously
> fuck with your router's admin page.
> You don't need to redirect that specific request either. It needs to be
> dropped. If you want to offer up a website, then use the hidden service
> feature of Tor.
>
I agree that you don't want someone to mess with my admin page. I don't
have an admin page, I have a service.
I think that it's a feature that in your presented case has an
unintended consequence. It's not as useless as you think. Furthermore,
it's *not* a hidden service. Hidden services are often slower than any
other Tor network function. You could *also* use a hidden service if you
wanted but that's not the same thing.
Something useful you could do with the exit enclave:
Run a mixmaster server
Run Tor with the ability to exit to your mixmaster server
Now all people who can use Tor could use mixmaster, even if mixmaster
was blocked and without exiting through a node you don't trust.
( Yes, I realize you could possibly exit and use the mixmaster network
without this setup. And yes I realize that mixmaster is able to be
observed without worry, I think this setup is useful anyway. )
>
> If you want to run a hidden server, such as a web site over a .onion
> address, then that's fine.
> If your router is disallowing people to access the admin webpage interface
> from the Internet, that's probably a good thing.
> But if running a Tor exit node opens up that admin webpage to the rest of
> the Tor network, that's not good. At that point, anyone could anonymously
> try and hack your router. God help you if they do get in, then your really
> in trouble.
Exit enclaves aren't .onions. They're two different things. They're also
used differently and with different threat models. Furthermore, one is
very reliable and the other isn't always so reliable at times. It's also
a known and documented issue.
Do you also think Tor should automatically block access to all RFC 1918
address space unless otherwise enabled? Why should Tor be so automatic
about your specific preferences?
How about you not restrict all the RFC 1918 address spaces in your network, tell which exit node you run, and let me have some fun playing inside your network anonymously.
(To be clear, I'm not trying to downplay the usefulness of hidden
services or say that they're implemented poorly. I like them. I use one
on a daily basis for the TorDNSEL.)
-jake