[tor-relays] T-shirts and Confirming Relay Control
Hi Ops,
We recently began responding to t-shirt requests again. Sorry for the
long silence. There's been a lot happening around here but not enough
time or people to do everything, so the t-shirt requests simply remained
untouched. But, despite the overload, t-shirts are important because
they are a small token of our thanks and appreciation for making the
network what it is today.
We responded to around 70 t-shirt requests from relay operators in
April, which comprised all requests for which we could verify (within
reason) the request came from the person who controlled the qualifying
relay. We still have another 20 requests where the requestor is not
obviously the owner of the relay. Currently the content of a relay's
Contact field is used, but this does not always provide enough (or any)
information. For this case, we need an authentication mechanism which
proves control of the relay but is something relay operators won't mind
running.
My currently plan is to ask relay operators to sign the fingerprint file
which tor creates. The major disadvantage of this method is that it must
be run as root (or a user with access to tor's data directory).
The following process is the current plan, but does anyone have a better
idea? Does it seem logical?
When we receive a t-shirt request from someone who isn't obviously in
control of the relay, we ask them to sign their fingerprint file with
a unique salt.
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
$ (echo -n salt ; cat /var/lib/tor/fingerprint) | openssl sha256 \
-binary | openssl pkeyutl -inkey /var/lib/tor/keys/secret_id_key \
-sign -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss \
-pkeyopt rsa_pss_saltlen:32 | openssl base64 signed_fingerprint
They send us both /var/lib/tor/fingerprint and signed_fingerprint.
When we receive them, we confirm the fingerprint in the fingerprint file
matches the qualifying relay. Then we retrieve the relay's public key
from its descriptor and convert it into pkcs#8 format using:
$ openssl rsa -pubin -in pubkey_pkcs1 -RSAPublicKey_in -out pubkey
and then we verify the sig using following commands:
$ (echo -n salt ; cat fingerprint) | openssl sha256 -binary | \
openssl pkeyutl -pubin -verify -inkey pubkey -sigfile \
$(OUT=/tmp/signed_fingerprint_bin; base64 -d signed_fingerprint \
${OUT}; echo ${OUT}) -pkeyopt digest:sha256 -pkeyopt \
rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:32; rm \
/tmp/signed_fingerprint_bin;
This should yield Signature Verified Successfully.
Another disadvantage of this is PSS wasn't implemented in openssl's
apps until 1.0.1. I wonder how many relays are running on servers which
are still using openssl 0.9.8 (and 1.0.0?). For these servers we can
fallback on pkcs#1 v1.5 signatures.
The signature can be created using a command similar to the one above:
$ (echo -n salt ; cat /var/lib/tor/fingerprint) | openssl dgst \
-sha256 | openssl rsautl -inkey /var/lib/tor/keys/secret_id_key \
-sign | openssl base64 signed_fingerprint
Again, they provide /var/lib/tor/fingerprint and signed_fingerprint,
and we verify using:
$ test $(openssl base64 -d -in signed_fingerprint | openssl rsautl \
-pubin -verify -inkey pubkey) = $((echo -n salt ; cat \
fingerprint) | openssl dgst -sha256); echo $?
In addition, again, we confirm the fingerprint in the fingerprint file
matches the fingerprint of the qualifying relay.
Originally I used a few bashisms which made these simpler, but for
this I suspect portability is important.
Sorry this is a bit long.
Thanks,
Matt
signature.asc
Description: Digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Drop in relay count
Steve Snyder swsny...@snydernet.net wrote Sun, 3 May 2015 10:40:59 -0400 (EDT): | My uninformed guess would be that the higher minimum bandwidth requirements in v0.2.6.x forced out the marginal relays. Interesting. I'll see if I can find out when a majority of directory authorities upgraded to 0.2.6.x. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: On Sun, 3 May 2015, Matthew Finkel wrote: Assuming the path to their data dir is /var/lib/tor, we ask them to run: Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?) Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking. If you want to build a utility for this into the tor distribution, and make it obvious what it does, I think that's fine. If the site asked people to run tor-request-tshirt or more generically tor-verify-ownership and it asked for whatever required information, I'd think that'd be more obviously safe. Unfortunately, for something like that to work seamlessly, it would need to be setuid or setgid. This may be a better way forward, but I wonder what we can do now. Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request. I'd prefer not denying them a t-shirt because they don't want to publish an email address publically, but using whois seems like a stretch and usually ends at the hosting provider instead of the operator. Thanks for the idea. - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt, Inspired by the options to confirm domain ownership with Google, Could you ask the relay operator to include a randomly generated (by you) token in their contact field? It may take a while to propagate and it requires action on the operator's part, but it's not difficult and I expect it provides the assurance you need. On 05/03/2015 04:20 PM, Matthew Finkel wrote: On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: On Sun, 3 May 2015, Matthew Finkel wrote: Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request. I'd prefer not denying them a t-shirt because they don't want to publish an email address publically, but using whois seems like a stretch and usually ends at the hosting provider instead of the operator. signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Drop in relay count
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 nusenu nus...@openmailbox.org wrote: it seems like we've lost about 500 (-7%) relays since the beginning of this year. the Tor network recently lost a large amount of relays (~75 or more) due to BadExit attacks. this may account for a large sum of the disappearing nodes (~20%), but it doesn't account for nearly all of them. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVRogzAAoJEHK1ROBEFxGyr6IQAJWPmWo8XDygb2phEw9QoosT bLMdLgHQtKS+MaZVLnDqMQw1kqdUiw8Z/GW34mYUmJJ1AF3muJXa64Gw6y1ykZg7 TWIUw+uXOUaQwPLe069wgguC2pB51w/B88G5jq8EMQYti6gSPWgk9nghav9G0Nwa RE77JSboSQbCwQdmCIlCjG+topYqoMGWhp3Dq/dVizesC3tRit97E3OjyTQ5wEEx FanyF6Rv5fd3/Ds/8rzs+YbQmxckWB3+RzTOxa013GrhigF22A0xeaNYFc2kTgC/ w5Dw9Ts8pfUd/rsJd2RxgjP2z8QG1g1DFLcVBiLTb0LsGa8VbtPMoyISkrSvdgOF mDyZXhsdnDD3VCuVjYIBMKyuDKass04xAefYO5aDqGCPYukrX1nZXs/ohUpNAwEh eWsGq6b6iSglQfqGKxdVWcrEdnl/gUQxbkXBFPfBfCqxtKqCtGXv3VByuxcuWgXr bl2jIE8v2FWNCWmE/YfYnRcTjr98ACh1JPDOMCabDedk1oFYSvB4W4CdclXpnaop Q/pISFi+xvvqjfzzH0rmCft4VdJjgj4+y6h/0cVgJK1TycMuU3dQYHuubRJT8JR3 OUalYoe+28k75LlC1cm9WQHeUd624AAUZ9oT0oSN1iApCG9HzntaZsTDbumawwse PBRYaoa4/b7DAaOYHp/W =u6RR -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 09:18:30PM +0200, Sebastian Urbach wrote: On May 3, 2015 7:45:39 PM Matthew Finkel matthew.fin...@gmail.com wrote: Hi Matthew, Hi Ops, We recently began responding to t-shirt requests again. Sorry for the long silence. There's been a lot happening around here but not enough 0 time or people to do everything, so the t-shirt requests simply remained untouched. But, despite the overload, t-shirts are important because they are a small token of our thanks and appreciation for making the network what it is today. We responded to around 70 t-shirt requests from relay operators in April, which comprised all requests for which we could verify (within reason) the request came from the person who controlled the qualifying relay. We still have another 20 requests where the requestor is not obviously the owner of the relay. Currently the content of a relay's Contact field is used, but this does not always provide enough (or any) information. For this case, we need an authentication mechanism which proves control of the relay but is something relay operators won't mind running. I'm really not amused. As i recall a bunch of people including myself offered to help. Amused? This really has nothing to do with amusement. If you want to work on something, then please come work on it, we really are overloaded. That being said, correctly handling t-shirt requests and other similar communications is important and delicate. The Tor Project is in a difficult situation where it wants to support the Tor network but not run it. This means, to some extent, we become a trusted third-party with some information. T-shirt requests are a perfect example of this, where we receive requests from people who choose not to publically publish their contact details yet they would like a reward for their work - which they absolutely deserve. This requires that operators trust us, so letting anyone help take care of these requests is not wise. I get the distinct impression that you keep everything within a small circle of people, no matter what. Even if that means that services are suffering. We're a group of security and privacy conscious individuals who want a world where everyone has secure and private communications, this isn't exactly a good combination which leads to publically discussioning everything. I certainly admit sometimes I default to discussing topics privately rather than sending it to tor-talk or tor-relays - I nearly did that with this thread. It's a bad habit, but it's not as common as I think you think it is. - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Am 03.05.2015 um 22:49 schrieb Matthew Finkel: This requires that operators trust us, so letting anyone help take care of these requests is not wise. Maybe I'm unique with this opinion, but usually I trust groups open to helping hands more than those who consider them selfs to be wiser than the average. We're a group of security and privacy conscious individuals who want a world where everyone has secure and private communications, this isn't exactly a good combination which leads to publically discussioning everything. Sounds almost like the advertising from companies which try to sell their closed source software as the most secure thing since the invention of sliced bread. Of course it's not a good idea to publish the addresses of the t-shirt receivers, neither to email them randomly around the globe, but printing a hundred stickers and placing them on as many bags also isn't something which keeps a group of people busy for months. my $0.02 Markus -- - - - - - - - - - - - - - - - - - - - Dipl. Ing. (FH) Markus Hitter http://www.jump-ing.de/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Drop in relay count
nusenu nus...@openmailbox.org wrote Sun, 03 May 2015 19:06:39 +: | Looking at the graphs showing the total relay bandwidth of the | network it seems like the advertised bandwidth has increased with | about 25 Mbps (+23%). | | I doubt that 25 Mpbs is 23% of the tor network capacity, I guess it | should say GBit/s. Indeed. | You probably also know about the 0.2.3.x relays: | https://metrics.torproject.org/versions.html I didn't. Thanks. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matthew Finkel schreef op 03/05/15 om 14:47: On Sun, May 03, 2015 at 08:20:54PM +, Matthew Finkel wrote: On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: On Sun, 3 May 2015, Matthew Finkel wrote: Assuming the path to their data dir is /var/lib/tor, we ask them to run: Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?) Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking. What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions. [0] https://www.torproject.org/getinvolved/tshirt Thanks, Matt Hi Matt, How about : * Primarily using ContactInfo for the verification * If you cannot match the ContactInfo, ask people to set it on their relays * If they are unwilling/unable to do so, ask them to sign their mail address using their secret Tor key * Implement a --sign option for Tor 0.2.7 * Starting a year from now, just ask everyone to sign the request Proving ownership of a Tor relay can be relevant for more applications than just Weather, so a simple --sign option can be good to have. That doesn't address the immediate concerns though, it's more of a long-term solution. Tom smime.p7s Description: S/MIME-cryptografische ondertekening ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Everyone, Could the relay log have something copied (such as the key) from it and emailed with the claim as only the operator can see the relay? Robert ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Why can't I see authorities bandwith stats
Hi, I was making some changes in my relay configuration and I made some queries in GLOBE and ATLAS and something happened. I noticed that all authorities are not showing bandwidth stats from the last week and I was wondering why. Regards, Dedalo. -- twitter: @SeguridadBlanca Github: Dedal0 Blog: https://blog.dedalo.in ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Date: Sun, 3 May 2015 17:44:39 + From: Matthew Finkel matthew.fin...@gmail.com … Another disadvantage of this is PSS wasn't implemented in openssl's apps until 1.0.1. I wonder how many relays are running on servers which are still using openssl 0.9.8 (and 1.0.0?). For these servers we can fallback on pkcs#1 v1.5 signatures. OS X still ships with OpenSSL 0.9.8 by default. But Darwin is such a small fraction of the network, and it's less likely that a Darwin server would push enough data to get a t-shirt unless it had an OpenSSL version with aes-ni. teor teor2345 at gmail dot com pgp 0xABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7 signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
On Sun, 03 May 2015 11:50:25 -0700, nusenu nus...@openmailbox.org wrote: I'd say 7$ for 2TB/mo on 1GB RAM is expensive if you compare it with 100mbps unmetered and lets say you are able to saturate ~50% = ~30TB/mo (~50 mpbs* in one direction) for ~15$/mo with 1GB RAM (in HU, 0.6% CW). Can't argue with that. The difference in annual cost ($60 vs $180 USD) is the key factor for me right now. Don't want to pay $180/yr out of pocket right now. ..but anyway thanks for adding more OpenBSD relays. Aye, I'll be trying out your Ansible playbooks in a bit. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
On Sat, 02 May 2015 00:52:07 -0700, Geo Rift tim.cochrane.lap...@gmail.com wrote: I would love to see some more nodes in Australia. I'm located in Perth and the speed of the network it horrible. Tim, just deployed an exit node to Sydney location, feel free to test it out: https://atlas.torproject.org/#details/E1E1059D8C41FC48B823C6F09348EA89C4D4C9D4 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt, How many shirts are sent in a year? What would taking it on entail? Robert Absolutely, but what's the cost? Our current solution using Printfection is neither ideal nor cheap, but it is convenient. Tor pays Printfection a bunch of money and Printfection creates the t-shirts, gives us one-time links, and takes care of the shipping and handling. If we crowd sourced creating bags with stickers in them we would need someone who can organize all the volunteers, ship the bags and stickers around the world, pay the return shipping for the filled bags, and then ship them again to the relay operators. That seems like it will become expensive. I would love to find a better solution than Printfection, so if anyone has suggestions we'd love to hear about it. - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 03:31:01PM -0700, Tom van der Woerdt wrote: Matthew Finkel schreef op 03/05/15 om 14:47: On Sun, May 03, 2015 at 08:20:54PM +, Matthew Finkel wrote: On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: On Sun, 3 May 2015, Matthew Finkel wrote: Assuming the path to their data dir is /var/lib/tor, we ask them to run: Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?) Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking. What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions. [0] https://www.torproject.org/getinvolved/tshirt Thanks, Matt Hi Matt, How about : * Primarily using ContactInfo for the verification * If you cannot match the ContactInfo, ask people to set it on their relays Sounds good. * If they are unwilling/unable to do so, ask them to sign their mail address using their secret Tor key How? For the short-term, do you think asking the operator to run the proposed command is not a crazy idea? * Implement a --sign option for Tor 0.2.7 * Starting a year from now, just ask everyone to sign the request We'd need more than a year for this, likely four years, at the earliest because Jessie only has 0.2.6. Proving ownership of a Tor relay can be relevant for more applications than just Weather, so a simple --sign option can be good to have. That doesn't address the immediate concerns though, it's more of a long-term solution. I think this may be a good idea, especially if CAs being issuing certs for onion sites. Implementing it will not be too difficult, unfortunately its usability may be a little tricky. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Mon, May 04, 2015 at 12:46:01AM +0200, Markus Hitter wrote: Am 03.05.2015 um 22:49 schrieb Matthew Finkel: This requires that operators trust us, so letting anyone help take care of these requests is not wise. Maybe I'm unique with this opinion, but usually I trust groups open to helping hands more than those who consider them selfs to be wiser than the average. I don't think what I said contradicts this. You are certainly not alone with that opinion and we, the thousands of people in the Tor community, make Tor what it is. There is a smaller subset of the community which handles some personal information, and, as it turns out, most people prefer only revealing their information to a few people instead of thousands. Hopefully we will move toward an automated system for these t-shirts, so that the only people in the trusted-set are those who pay for the t-shirts, in this case. But, in general, when dealing with finances and PII, there's certain information that should remain private. That being said, we want more people to help us. Please, come work on some of Tor's projects. We want more review, more input, more feedback. I was not saying we were wise because we aren't 100% public and transparent with what we do. I was saying revealing the personal information about operators to random, unvetted volunteers was not wise - I hope this makes sense. We're a group of security and privacy conscious individuals who want a world where everyone has secure and private communications, this isn't exactly a good combination which leads to publically discussioning everything. Sounds almost like the advertising from companies which try to sell their closed source software as the most secure thing since the invention of sliced bread. Heh. Good thing that wasn't an advertisement and Tor is not a company selling closed-source software :) Of course it's not a good idea to publish the addresses of the t-shirt receivers, neither to email them randomly around the globe, but printing a hundred stickers and placing them on as many bags also isn't something which keeps a group of people busy for months. Absolutely, but what's the cost? Our current solution using Printfection is neither ideal nor cheap, but it is convenient. Tor pays Printfection a bunch of money and Printfection creates the t-shirts, gives us one-time links, and takes care of the shipping and handling. If we crowd sourced creating bags with stickers in them we would need someone who can organize all the volunteers, ship the bags and stickers around the world, pay the return shipping for the filled bags, and then ship them again to the relay operators. That seems like it will become expensive. I would love to find a better solution than Printfection, so if anyone has suggestions we'd love to hear about it. - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 06:17:20PM -0400, JovianMallard wrote: Matt, Inspired by the options to confirm domain ownership with Google, Could you ask the relay operator to include a randomly generated (by you) token in their contact field? It may take a while to propagate and it requires action on the operator's part, but it's not difficult and I expect it provides the assurance you need. Thanks for the suggestion! I did consider this and other similar methods. The major disadvantage I see with this one is that there will be a historical record of when the operator requested a t-shirt. Maybe this doesn't matter, though. It's probably a better option than some of the others. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
On Sat, 02 May 2015 14:37:04 -0700, nusenu nus...@openmailbox.org wrote: Is there a specific reason why you limit yourself to vultr? Yes, there are several. * Price (hardware bang for the buck. SSD, 1000GB bw/mo in most locations. Starter pkg is $5/mo) * Features/usability (really like their control panel and website design. Snapshots are key, ability to re-deploy snapshots anywhere. Two factor auth with Yubikey.) * OpenBSD supported via custom ISO install feature (This limits the field quickly) ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Drop in relay count
On Sunday, May 3, 2015 10:08am, Linus Nordberg li...@nordberg.se said: Hi, Looking at the graphs showing the number of relays in the network it seems like we've lost about 500 (-7%) relays since the beginning of this year. https://metrics.torproject.org/networksize.html?graph=networksizestart=2015-01-01end=2015-05-03 https://metrics.torproject.org/networksize.html?graph=networksizestart=2012-01-01end=2015-05-03 My uninformed guess would be that the higher minimum bandwidth requirements in v0.2.6.x forced out the marginal relays. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Drop in relay count
Hi, Looking at the graphs showing the number of relays in the network it seems like we've lost about 500 (-7%) relays since the beginning of this year. https://metrics.torproject.org/networksize.html?graph=networksizestart=2015-01-01end=2015-05-03 https://metrics.torproject.org/networksize.html?graph=networksizestart=2012-01-01end=2015-05-03 Looking at the graphs showing the total relay bandwidth of the network it seems like the advertised bandwidth has increased with about 25 Mbps (+23%). https://metrics.torproject.org/bandwidth.html?graph=bandwidthstart=2015-01-01end=2015-05-03 https://metrics.torproject.org/bandwidth.html?graph=bandwidthstart=2012-01-01end=2015-05-03 Seems a bit contradictory at first sight. A guess would be that a lower number of fast relays have replaced a higher number of slow ones but I haven't looked into it more. Anyone who's looked into this? And can back up their theory with some numbers. Thanks, Linus ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt: Thanks for leading us forward on the tshirt topic! I still, alas, have a pile of tshirt requests from Jan-Mar that I should collate and forward to you. On Sun, May 03, 2015 at 10:26:52AM -0800, I wrote: Isn't the value of the t-shirt disproportionate to the trouble you're going to to give them out? If the weather message offering the t-shirt is answered by the same address isn't that proof enough? I think I agree with this: if somebody has a copy of a Tor weather mail, then they -- oh. You can sign up to watch somebody else's relay, and then you get their tshirt notification? I guess the obvious fix is to only have weather send tshirt notifications when it has auto-parsed the contact info itself, rather than when a human signs up to watch a given relay. But the obvious fix involves changing Tor Weather. It's my understanding that we have a rewrite already done by a GSoC student, but nobody has attempted to deploy the rewrite because nobody wants to mess with the current weather instance (and because Karsten, the original mentor, is overloaded). Tor Weather should really be a community thing, not a service that Tor maintains, given how we're stretched thin as it is. I met a nice fellow in Valencia who lives in Berlin and offered to pick it up. But I haven't heard anything further from that conversation. Really, Weather is messy because it tries to serve many too many purposes at once -- two of the extremes are letting people sign up to get email when their relay goes offline, and also tracking historical relay uptime data in order to tell us (and the operator) when a given relay has passed a given milestone. Of course, making it a community thing could easily mean even more inconsistency over time. Hm indeed. --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 * Price (hardware bang for the buck. SSD, 1000GB bw/mo in most locations. Starter pkg is $5/mo) I'd say 7$ for 2TB/mo on 1GB RAM is expensive if you compare it with 100mbps unmetered and lets say you are able to saturate ~50% = ~30TB/mo (~50 mpbs* in one direction) for ~15$/mo with 1GB RAM (in HU, 0.6% CW). https://lists.torproject.org/pipermail/tor-relays/2013-January/001835.html 2TB/mo is not a lot of traffic, it translates to less than 4mpbs in one direction. ..but anyway thanks for adding more OpenBSD relays. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVRm3xAAoJEFv7XvVCELh0wIgP/3z3wc2CXxFgYuKCGT+r7WYk 3T7m7E/7d6+GuHKEgwUOQV/WsirnqMpzudAnk5lhuNwMWIbq9cUR30AMDCm6T9cR nItMgSBba40RHwsVZLlY0d4vcDS/3Zbn4nRtMUUr+RWrK3NGh3CAGbzOChPYfcMk jpWaTaggBYWVKhRCsKBvHJKc+7DUeLGwtQ5Wxc49KDfN39P5UfATFl8v2oFlL/hT GwxTDmyHRgpVxXRIfDJXAdxufnLSeOOJAxM+KDLkthl0qnWyDlkLQPJP9zTU/cbY bwo3ez/Bu+dQBpGh8oR0+6UiiW9smrgh0lTkOW1Q0OPurN5UE6X3JmM9Kbfng/BH 4kHoU++wVo7YFpUli5qP4geFqyc/VV7p+/QGn5hdZ93plgxF3V9pn5eeYp6OZSeQ 9NxE0RUE9lRi6ZQ0MQ4urVKnmFbXoYOpra2Cdk3P0Ng9AsiwFaAUc7DJRAoVZktM Xf/V6tUCqHBMGSRtLnZ4ig6T0dbaZz0jW3KIxn9XoTMfNzdcxB4KQfcSpz+PffQx o4wBR7dyBw0WxmLpKXefYpoounyUnf+sHbNle4PAwRAOwrGapSQyU5NtsteaMwWM 8rysm3K60qbdjSzuu6CaYyEwFcCbQYyTjn8KYkdeF3PjvBih+5YlgwHPrlpYjiJs +S8G0AZrKFLryfzQ4gsB =PcDq -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, 3 May 2015, Matthew Finkel wrote: Assuming the path to their data dir is /var/lib/tor, we ask them to run: Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?) If you want to build a utility for this into the tor distribution, and make it obvious what it does, I think that's fine. If the site asked people to run tor-request-tshirt or more generically tor-verify-ownership and it asked for whatever required information, I'd think that'd be more obviously safe. Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request. -- Aaron ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
Matt, Thanks for handling the backlog of t-shirts as they are important as an acknowledgement of valuable contributions. Isn't the value of the t-shirt disproportionate to the trouble you're going to to give them out? If the weather message offering the t-shirt is answered by the same address isn't that proof enough? As I haven't received a message yet and my details are plain and simple I wonder what could have gone wrong. Robert ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Drop in relay count
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Looking at the graphs showing the number of relays in the network it seems like we've lost about 500 (-7%) relays since the beginning of this year. https://metrics.torproject.org/networksize.html?graph=networksizestart=2015-01-01end=2015-05-03 https://metrics.torproject.org/networksize.html?graph=networksizestart=2012-01-01end=2015-05-03 Looking at the graphs showing the total relay bandwidth of the network it seems like the advertised bandwidth has increased with about 25 Mbps (+23%). I doubt that 25 Mpbs is 23% of the tor network capacity, I guess it should say GBit/s. https://metrics.torproject.org/bandwidth.html?graph=bandwidthstart=2015-01-01end=2015-05-03 https://metrics.torproject.org/bandwidth.html?graph=bandwidthstart=2012-01-01end=2015-05-03 Seems a bit contradictory at first sight. A guess would be that a lower number of fast relays have replaced a higher number of slow ones but I haven't looked into it more. Anyone who's looked into this? And can back up their theory with some numbers. Unfortunately I've got no historic onionoo details data that goes back to 2014 to compare with current data, but if anyone has, feel free to upload it somewhere. You probably also know about the 0.2.3.x relays: https://metrics.torproject.org/versions.html -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVRnG/AAoJEFv7XvVCELh0qxEP/3YBkuG3UzoxFBoRSmMa/+9n 3zXgcegpdnJ22mR3lD+ocbXNdt8ne4hwk1KUiXaJJuxIQ/rwbh4sScgSbLjrMIts VjigxSR4yy2jeOkSARFIuomaY8jV7nOgHYP5uxFil/MPa/yjWfYinESKbxZL7PAQ 8wKi3AbxMaidxDfcBnQOBiGUVpchs3ZB1STQ7Kk4/hiNLeiSs7sCVKSAZ3i6i8aA 3TrMFgM3bRnOJ7dZDfkfG30gbiD4kvWhLtyDHMz03iwnbDCNkKkzilqljTlc9WYq hTHrJTY7YDKHMXPIWyy4I3AmH84neAFwtM5iAPAAANRAvBK/kuO6qjTf+oYj9ndh fATkauypkwsPcQrJH3M8IJLERmHrQ46CK5+S7gsDwrMWEZF5dx1byLGGoDvboPss 9mIx/dI1uCLI3vo3LoBF3LF9EnnHcwK9KgjcqgZN2jaSUbTrk4fFSJn9gpusTdXK UCTjxzw2bKqulSCZs8QjNkgIGEiAw7ZbNf2bmt0yoQ2Tt6iSPvkMqVSuNtMzLsjT WRlq63fXZx/aAS9RbrUSzJ7kOeFKlp+CkZHbltiOtP+62Wtg5cwBeLpq3MuylH3k frmPJ2zew4Xv0TAuhBPHDM+gn38ypmd4fqjeNaBJPQHZ4qG+fAueGEhKTW+c8ZNY fT82Id9BBm6JE4OCAv9c =Jf3H -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On May 3, 2015 7:45:39 PM Matthew Finkel matthew.fin...@gmail.com wrote:
Hi Matthew,
Hi Ops,
We recently began responding to t-shirt requests again. Sorry for the
long silence. There's been a lot happening around here but not enough
0 time or people to do everything, so the t-shirt requests simply remained
untouched. But, despite the overload, t-shirts are important because
they are a small token of our thanks and appreciation for making the
network what it is today.
We responded to around 70 t-shirt requests from relay operators in
April, which comprised all requests for which we could verify (within
reason) the request came from the person who controlled the qualifying
relay. We still have another 20 requests where the requestor is not
obviously the owner of the relay. Currently the content of a relay's
Contact field is used, but this does not always provide enough (or any)
information. For this case, we need an authentication mechanism which
proves control of the relay but is something relay operators won't mind
running.
I'm really not amused. As i recall a bunch of people including myself
offered to help. I get the distinct impression that you keep everything
within a small circle of people, no matter what. Even if that means that
services are suffering.
My currently plan is to ask relay operators to sign the fingerprint file
which tor creates. The major disadvantage of this method is that it must
be run as root (or a user with access to tor's data directory).
The following process is the current plan, but does anyone have a better
idea? Does it seem logical?
When we receive a t-shirt request from someone who isn't obviously in
control of the relay, we ask them to sign their fingerprint file with
a unique salt.
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
$ (echo -n salt ; cat /var/lib/tor/fingerprint) | openssl sha256 \
-binary | openssl pkeyutl -inkey /var/lib/tor/keys/secret_id_key \
-sign -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss \
-pkeyopt rsa_pss_saltlen:32 | openssl base64 signed_fingerprint
They send us both /var/lib/tor/fingerprint and signed_fingerprint.
When we receive them, we confirm the fingerprint in the fingerprint file
matches the qualifying relay. Then we retrieve the relay's public key
from its descriptor and convert it into pkcs#8 format using:
$ openssl rsa -pubin -in pubkey_pkcs1 -RSAPublicKey_in -out pubkey
and then we verify the sig using following commands:
$ (echo -n salt ; cat fingerprint) | openssl sha256 -binary | \
openssl pkeyutl -pubin -verify -inkey pubkey -sigfile \
$(OUT=/tmp/signed_fingerprint_bin; base64 -d signed_fingerprint \
${OUT}; echo ${OUT}) -pkeyopt digest:sha256 -pkeyopt \
rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:32; rm \
/tmp/signed_fingerprint_bin;
This should yield Signature Verified Successfully.
Another disadvantage of this is PSS wasn't implemented in openssl's
apps until 1.0.1. I wonder how many relays are running on servers which
are still using openssl 0.9.8 (and 1.0.0?). For these servers we can
fallback on pkcs#1 v1.5 signatures.
The signature can be created using a command similar to the one above:
$ (echo -n salt ; cat /var/lib/tor/fingerprint) | openssl dgst \
-sha256 | openssl rsautl -inkey /var/lib/tor/keys/secret_id_key \
-sign | openssl base64 signed_fingerprint
Again, they provide /var/lib/tor/fingerprint and signed_fingerprint,
and we verify using:
$ test $(openssl base64 -d -in signed_fingerprint | openssl rsautl \
-pubin -verify -inkey pubkey) = $((echo -n salt ; cat \
fingerprint) | openssl dgst -sha256); echo $?
In addition, again, we confirm the fingerprint in the fingerprint file
matches the fingerprint of the qualifying relay.
Originally I used a few bashisms which made these simpler, but for
this I suspect portability is important.
Sorry this is a bit long.
Thanks,
Matt
--
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
Sincerely yours / Sincères salutations / M.f.G.
Sebastian Urbach
-
Religion is fundamentally opposed to
everything I hold in veneration - courage,
clear thinking, honesty, fairness, and,
above all, love of the truth.
-
Henry Louis Mencken (1880 - 1956),
American journalist, essayist, magazine
editor, satirist and critic.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, May 03, 2015 at 10:26:52AM -0800, I wrote: Matt, Thanks for handling the backlog of t-shirts as they are important as an acknowledgement of valuable contributions. Isn't the value of the t-shirt disproportionate to the trouble you're going to to give them out? If the weather message offering the t-shirt is answered by the same address isn't that proof enough? As I haven't received a message yet and my details are plain and simple I wonder what could have gone wrong. Hi Robert, I replied privately about your situation but it's possible this plan is more complicated than it needs to be. In general, I'd prefer we receive t-shirt requests from the same email address as is specified in the Contact field. Obviously, if they are different, we can always send the response and t-shirt link to the address in the Contact field, but that asymmetry seems weird to me, but I'm not against doing this. For the situations where there is no email address in the contact field, I'm not certain how else we can confirm we're sending the t-shirt to the person who deserves it. Thanks for your input! - Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OVH is pretty good value, CAD$2.99/mo for 1GB RAM and unlimited transfer at 100Mbps (it’s speed limited after 10,000GB) and both IPv4/6. However there are 424 OVH relays across 12 countries might not fit with your goal to add more diversity Yes, OVH AS is probably the worst place to add relays from a diversity pov since it is the AS with the highest CW fraction (10%). -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVRnX5AAoJEFv7XvVCELh0xgAQALsE+IL8PlQvbuIGmmVL0h44 dYTIAgm3fBQo1D0GyRPMXUIg2GuXZ4WqnbLh+5FYieS9cqqhbcuCvGJHlPpPTceB udrg8VpD+0Gg4gH99/hxlxaXlgcWkJf9tz2hOyxURpV8nWSNu7OXLQ2PuDbPEA87 Xy6PYgEGDO794MkTVNGdB2d3BhRNNMU4H3KfPfxy6hbIxUFqWcmWpiAdrAmhLh4z T0yGZEfoBmP8uRfXzZtqPjm7VDcl3+SRHN4398DgyiRAP7SaAwHFnvrvaetc7ixz PV+DkKIt4HZpLTfQcQx2GaGCcSlHxmBeHvTEtCGinPr+pR+lREFWWQMzhgzdZ+F5 0S9aftjbhfk3uyhkgwPYcOw582Q3TvKW27Rreoz/+XYClq4xn4ZYAjDwoMKHAbFe 9uuMU20jL9jVktzOYpD9o5pir4a0AKYvmI4KhL0QMPJtgrSw4uTx0GLMU2xXfI3W c6fWsmP7e2T8WuQb5I4GOI3y/1rYFZLHfidoMPAEmrG7G/nz24zlkn66mNcjvZ2I etGGYRzhNFicjcmpxhDsMBvdsprUJUyi4f//IlfIcfvf0l3ZiQnKbl/lIC2GkAHc HfE/c80eJuuZeLtBNE+t0h9m1PwcBbKAvN0z1QPkaWUWpPRON5LG5HnbjC4j8Vgk JALJyeyr/NWlHhBvDR8r =Z1Ih -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
