Re: AN idea of non-public exit-nodes
On Wed, 25 Nov 2009 12:21:39 -0500 Gregory Maxwell wrote: >On Tue, Nov 24, 2009 at 8:05 PM, Ted Smith wrote: >> On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote: >>> See especially point #1: "even if we didn't tell clients about the >>> list of >>> relays directly, somebody could still make a lot of connections >>> through >>> Tor to a test site and build a list of the addresses they see." >>> >>> I guess we could perhaps add support for configuring your own secret >>> exit node that your buddy runs for you. But at that point the >>> anonymity >>> that Tor can provide in that situation gets pretty fuzzy. >> >> It's like a bridge, but for exits. They would probably have to be a lot >> less friend-to-friend than bridges, but it might still be doable. I >> think this is what the original poster meant, anyways. > >So non-disclosed bridges work because the entrance node always knows who >you are, so having to arrange something with someone doesn't disclose >much more information. It doesn't disclose where you are going. > >In the case of an exit the knows where you're going but not who you are. >If you must arrange for access to the exit then the exit gets the opportunity >to learn who you are. Once the exit knows who you are than the whole purpose >of tor is defeated. That's not how bridges work now, so your argument isn't applicable. One finds out about bridges by getting them from a server, three at a time. The same or some similar method could be used for exit bridges as well. It's true that that does leave open the possibility that the operator of the bridge info server were corrupt, but there is at least one way to reduce that threat: list a large number of exit bridges in one's torrc file. There is, though, a potential operational problem, and that is how to let the typical user know that an exit bridge is no longer usable. I'm not sure how tor currently handles unreachable entry bridges listed in torrc, so I don't know how big or small a problem this might be. (I'm not a bridge user--so far.) > >I can imagine a couple of possible cryptographic methods which would make a >private exit unusable until there is a sufficiently large clique of people >who could use the exit... but everything I can think of would be highly >vulnerable to attack by setting up additional conspiring nodes. > >It seems to me that the cases where a private exit would be useful could >be equally served by running a separate tor network. You are prepared, I suppose, to establish a separate network that is as large as the current one? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
On Wed, Nov 25, 2009 at 1:08 PM, Paul Syverson wrote: > Two words: Hidden service Okay. I'm now running a HTTP forwarder to LJ as a hidden service. Email me for the hidden service address and port number. ... I'll be posting the mapping of the LJ accounts and passwords of everyone who uses it to their email addresses the end of the week. ;) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
On Wed, Nov 25, 2009 at 12:21:39PM -0500, Gregory Maxwell wrote: > On Tue, Nov 24, 2009 at 8:05 PM, Ted Smith wrote: > > On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote: > >> See especially point #1: "even if we didn't tell clients about the > >> list of > >> relays directly, somebody could still make a lot of connections > >> through > >> Tor to a test site and build a list of the addresses they see." > >> > >> I guess we could perhaps add support for configuring your own secret > >> exit node that your buddy runs for you. But at that point the > >> anonymity > >> that Tor can provide in that situation gets pretty fuzzy. > > > > It's like a bridge, but for exits. They would probably have to be a lot > > less friend-to-friend than bridges, but it might still be doable. I > > think this is what the original poster meant, anyways. > > So non-disclosed bridges work because the entrance node always knows who > you are, so having to arrange something with someone doesn't disclose > much more information. It doesn't disclose where you are going. > > In the case of an exit the knows where you're going but not who you are. > If you must arrange for access to the exit then the exit gets the opportunity > to learn who you are. Once the exit knows who you are than the whole purpose > of tor is defeated. > > I can imagine a couple of possible cryptographic methods which would make a > private exit unusable until there is a sufficiently large clique of people > who could use the exit... but everything I can think of would be highly > vulnerable to attack by setting up additional conspiring nodes. > Two words: Hidden service Some more words: If you set up a hidden service to function as a Tor exit, then your above concern about defeating the point of Tor goes away. I haven't done any thorough analysis but it seems obvious that there are lots of ways to attack this, such as quoted from Roger above. As usual you would need to specify what your threat model is to know if this is adequate for intended purposes. -Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
On Tue, Nov 24, 2009 at 8:05 PM, Ted Smith wrote: > On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote: >> See especially point #1: "even if we didn't tell clients about the >> list of >> relays directly, somebody could still make a lot of connections >> through >> Tor to a test site and build a list of the addresses they see." >> >> I guess we could perhaps add support for configuring your own secret >> exit node that your buddy runs for you. But at that point the >> anonymity >> that Tor can provide in that situation gets pretty fuzzy. > > It's like a bridge, but for exits. They would probably have to be a lot > less friend-to-friend than bridges, but it might still be doable. I > think this is what the original poster meant, anyways. So non-disclosed bridges work because the entrance node always knows who you are, so having to arrange something with someone doesn't disclose much more information. It doesn't disclose where you are going. In the case of an exit the knows where you're going but not who you are. If you must arrange for access to the exit then the exit gets the opportunity to learn who you are. Once the exit knows who you are than the whole purpose of tor is defeated. I can imagine a couple of possible cryptographic methods which would make a private exit unusable until there is a sufficiently large clique of people who could use the exit... but everything I can think of would be highly vulnerable to attack by setting up additional conspiring nodes. It seems to me that the cases where a private exit would be useful could be equally served by running a separate tor network. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
On 11/25/2009 02:20 AM, James Brown wrote: >> It's like a bridge, but for exits. They would probably have to be a lot >> less friend-to-friend than bridges, but it might still be doable. I >> think this is what the original poster meant, anyways. > > Yes, I meant exactly that. If I understand this correctly, you want an unpublished exit relay? I believe the torrc option "PublishServerDescriptor 0" will do what you want. If I'm misunderstanding, please correct me. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
On Wed, 25 Nov 2009 09:09:16 +0300 James Brown wrote: >Roger Dingledine wrote: >> On Wed, Nov 25, 2009 at 02:51:57AM +0300, James Brown wrote: >> >> Alas, livejournal's hand here might be forced by their new owners. In >> that case, the only answer I can think of is for everybody in the affected >> countries to jump ship. >> >> --Roger >> > It is a very good idea, but if they didn't if after purshasing the LG >of the SUP - I think it will be very difficult to convince them do it now. >Many of them (not am I - after my arrest in the year 2007 I use only the >Tor for either activities in blogs or for banking transations) don't use >the Tor. >I tell many of them to use the Tor but they don't do it even after >arrests of their comrades. >Russian mentalty... Yes, one certainly has to wonder whether it is a wasted effort to help those who *do not want* to help themselves. Those who wish to surrender are probably those we should thank for purging themselves from the gene pool. OTOH, your efforts to inform them at large will probably help the few who *do* wish to defend themselves but simply didn't know about the threat. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ted Smith wrote: > On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote: > > It's like a bridge, but for exits. They would probably have to be a lot > less friend-to-friend than bridges, but it might still be doable. I > think this is what the original poster meant, anyways. Yes, I meant exactly that. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksM2tYACgkQV59uvM2EEneEAACeM9khoGTZmKTBwl69BfODb8gh +3cAni4Ztd0kwB1jyi/pok527dTAxVH/ =4tlA -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roger Dingledine wrote: > On Wed, Nov 25, 2009 at 02:51:57AM +0300, James Brown wrote: > > Alas, livejournal's hand here might be forced by their new owners. In > that case, the only answer I can think of is for everybody in the affected > countries to jump ship. > > --Roger > It is a very good idea, but if they didn't if after purshasing the LG of the SUP - I think it will be very difficult to convince them do it now. Many of them (not am I - after my arrest in the year 2007 I use only the Tor for either activities in blogs or for banking transations) don't use the Tor. I tell many of them to use the Tor but they don't do it even after arrests of their comrades. Russian mentalty... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksMx3oACgkQV59uvM2EEndfKQCgj6Lqs4dTux4z1AR55mPfERrq fRgAoKDtYBWzCtiCq1ECJEYEB5bosb7w =QiPw -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
I'm not sure that the correlation attacks for `bridge exits' are better than those for normal bridges. However, the `exit risk' would likely be more discouraging to such `bridge exits'. However, as a more general question, making the Tor network difficult to completely enumerate might be interesting. Clearly, there are valuable advantages to a hard-to-map network, but can it be done without gross disadvantages? 2009/11/24 Damian Johnson > Interesting idea, but seems like it could be pretty dangerous. If an > attacker was able to figure out the subset of Tor users taking advantage of > these special exits and ran one themselves then correlation probably > wouldn't be too difficult. In addition, abuse issues makes finding exit > operators a lot harder than bridges so you probably wouldn't get the vast > number of volunteers needed for the current bridge distribution tactics. > -Damian > > > On Tue, Nov 24, 2009 at 5:05 PM, Ted Smith wrote: > >> On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote: >> > See especially point #1: "even if we didn't tell clients about the >> > list of >> > relays directly, somebody could still make a lot of connections >> > through >> > Tor to a test site and build a list of the addresses they see." >> > >> > I guess we could perhaps add support for configuring your own secret >> > exit node that your buddy runs for you. But at that point the >> > anonymity >> > that Tor can provide in that situation gets pretty fuzzy. >> >> It's like a bridge, but for exits. They would probably have to be a lot >> less friend-to-friend than bridges, but it might still be doable. I >> think this is what the original poster meant, anyways. >> > >
Re: AN idea of non-public exit-nodes
Interesting idea, but seems like it could be pretty dangerous. If an attacker was able to figure out the subset of Tor users taking advantage of these special exits and ran one themselves then correlation probably wouldn't be too difficult. In addition, abuse issues makes finding exit operators a lot harder than bridges so you probably wouldn't get the vast number of volunteers needed for the current bridge distribution tactics. -Damian On Tue, Nov 24, 2009 at 5:05 PM, Ted Smith wrote: > On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote: > > See especially point #1: "even if we didn't tell clients about the > > list of > > relays directly, somebody could still make a lot of connections > > through > > Tor to a test site and build a list of the addresses they see." > > > > I guess we could perhaps add support for configuring your own secret > > exit node that your buddy runs for you. But at that point the > > anonymity > > that Tor can provide in that situation gets pretty fuzzy. > > It's like a bridge, but for exits. They would probably have to be a lot > less friend-to-friend than bridges, but it might still be doable. I > think this is what the original poster meant, anyways. >
Re: AN idea of non-public exit-nodes
On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote: > See especially point #1: "even if we didn't tell clients about the > list of > relays directly, somebody could still make a lot of connections > through > Tor to a test site and build a list of the addresses they see." > > I guess we could perhaps add support for configuring your own secret > exit node that your buddy runs for you. But at that point the > anonymity > that Tor can provide in that situation gets pretty fuzzy. It's like a bridge, but for exits. They would probably have to be a lot less friend-to-friend than bridges, but it might still be doable. I think this is what the original poster meant, anyways. signature.asc Description: This is a digitally signed message part
Re: AN idea of non-public exit-nodes
On Wed, Nov 25, 2009 at 02:51:57AM +0300, James Brown wrote: > In the context of the above information concerning the ban of Tor's > nodes by the LJ (and in other such cases) I have an idea to provide in > the Tor net for non-public exit-notes. You might find this faq entry useful: https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#WhyBlockable See especially point #1: "even if we didn't tell clients about the list of relays directly, somebody could still make a lot of connections through Tor to a test site and build a list of the addresses they see." I guess we could perhaps add support for configuring your own secret exit node that your buddy runs for you. But at that point the anonymity that Tor can provide in that situation gets pretty fuzzy. > This solution will be very, very useful for residents of the countries > under tyrannical and fascist regimes like Russia and such others. > P.S. It is very important for residents of such countries because only > such measures can support liberty of speach and privacy for their. I > want all you to know that after many proceedingses against bloggers and > other Internet users in Russian ended conditional sentences the Putin's > gestapo was arrest a young girl in Moscow for her writing on Internets > forums etc. on September, 2009. > I think that it is not a last arrest of bloggers in Russia. Indeed. The case of livejournal and Russia is particularly sad here -- lj is where a lot of Russian activists hang out, yet it's also owned and monitored by (simplifying a little) the Russian authorities. And nobody in the activist community can get enough momentum to convince people to move somewhere that is less monitored. Very well done. For the rest of you following this whole 'livejournal and Russia' topic, I find Evgeny Morozov's writings to be useful here. See e.g. http://www.nytimes.com/2006/10/25/opinion/25iht-edmorozov.3280324.html Not a new story, alas. I think one useful approach here is to help livejournal understand that they need to stop blocking all users who want privacy. Here are some talking points there: - Blocking Tor users entirely is over-broad. Even if they have no internal mechanism for handling accountability and authentication, they can still target only the behaviors that they can't get under control. I presume they're blocking it because some small number of people are crawling certain resources on livejournal. So they should narrow their blocking to just those resources. As a parallel example here, Slashdot prevents posts from Tor exit IP addresses, but they don't just cut all connections. - They probably don't have any idea how many 'normal' Tor users they have. If the only time you notice Tor is when somebody's being a jerk, it's easy to fall into the trap of thinking that Tor only has a few users, most of whom are jerks. But the fact is that hundreds of thousands of people use Tor daily. Blocking all of them is going to impact many more people than you think. (How many of these users use LJ daily? I don't know, but if they've set things up to filter based on IP address, they could also set things up to count instead.) - I talked to the chief security officer of Facebook a few months back. They used to regard Tor as something that could hurt their business model. Then the June election thing happened in Iran, and facebook.com was blocked in Iran, and suddenly around 1 facebook users in Iran were connecting via Tor daily. Now Facebook has a very different perspective on privacy tools like Tor. Their story is similar in China. Alas, livejournal's hand here might be forced by their new owners. In that case, the only answer I can think of is for everybody in the affected countries to jump ship. --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AN idea of non-public exit-nodes
On Wed, 2009-11-25 at 02:51 +0300, James Brown wrote: > In the context of the above information concerning the ban of Tor's > nodes by the LJ (and in other such cases) I have an idea to provide in > the Tor net for non-public exit-notes. > This solution will be very, very useful for residents of the countries > under tyrannical and fascist regimes like Russia and such others. > P.S. It is very important for residents of such countries because only > such measures can support liberty of speach and privacy for their. I > want all you to know that after many proceedingses against bloggers and > other Internet users in Russian ended conditional sentences the Putin's > gestapo was arrest a young girl in Moscow for her writing on Internets > forums etc. on September, 2009. > I think that it is not a last arrest of bloggers in Russia. I like this idea, but I doubt that you'll get much support for it because it goes against the Tor network's reputation of "if you want to block us, you can." signature.asc Description: This is a digitally signed message part