[tor-dev] Xeronet's torrc

Nathan Freitas nathan at freitas.net
Thu Dec 27 03:37:00 UTC 2012


I was just made aware of this "advanced" torrc configuration below. Any
comments on it, from a client-only/mobile device perspective? I can
understand how it might deanonymize you, but it might be a trade-off
that users seeking fast circumvention only may want to make.

http://xeronet.primeoptic.net/tor/torrc.php

***
Advanced Torrc Settings - Did You Edit The Config ?

This is a working example of an advanced configuration for use with the
Tor Browser Bundle.

N.B. Vidalia will show the following 'warning' message if you use this
Torrc file and specifically StrictNodes 1 : "You have asked to exclude
certain relays from all positions in your circuits. Expect hidden
services and other Tor features to be broken in unpredictable ways." If
something is broken or you cannot connect, your should set StrictNodes
to 0 again. If you don't want to see warning messages the you can always
switch them off in Vidalia > Messages > Options.

xeronet Torrc - v1.4 - 12/12/2012 - Download ... 'Save As'.

This file can be used to replace the existing Torrc file in your Tor
Browser Bundle > Data > Tor

The idea is to make Tor faster and safer for regular internet browsing
and it does work !

How does it work ? Well, Tor works just great 'out-of-the-box', however,
by tweaking settings and controlling how Tor connects to its own network
we can improve on privacy and security.

(1) Block 'Bad' Exit Nodes using: ExcludeNodes

'Bad' Exit Nodes are flagged in red here: http://torstatus.blutmagie.de

N.B. torstatus.blutmagie.de will probably load very slowly in your web
browser and might even appear to 'freeze' ! It contains a lot of 'live'
data. Be patient and it will load up OK.

(2) Block 'problematic' internet countries using: ExcludeNodes

'problematic' internet countries can be found here: http://map.opennet.net

and here: https://wikipedia.org/wiki/Internet_censorship_by_country

N.B. The 'default' list of blocked Countries has been selected by
including those Countries using Pervasive and Substantial blocking of
Internet Tools and Political, Social, Conflict and/or Security website
filtering... You have lots of Tor servers to choose from... Why should
you use a Tor server in a country that heavily filters its own citizens
or perhaps even worse... (Don't worry - In doing this you will not be
preventing access to the Tor network from users in these Countries.)

Recommended: 'problem' internet countries Block List: Afghanistan,
Algeria, Armenia, Argentina, Azerbaijan, Bangladesh, Belarus, Burma,
China, Colombia, Cuba, Egypt, Eritrea, Ethiopia, Gambia, Georgia, Ghana,
Guatemala, India, Indonesia, Iraq, Iran, Israel, Jordan, Kazakhstan,
Kuwait, Kyrgyzstan, Laos, Lebanon, Libya, Macau, Malawi, Mali, Malaysia,
Mauritania, Mexico, Moldova, Mongolia, Morocco, Nepal, Nigeria, North
Korea, Oman, Pakistan, Palestinian Territories, Paraguay, Peru,
Philippines, Qatar, Russia, Rwanda, Saudi Arabia, Somalia, South Africa,
South Korea, Sudan, Sri Lanka, Syria, Taiwan, Tajikistan, Thailand,
Tunisia, Turkey, Turkmenistan, UAE, Uganda, Uzbekistan, Venezuela,
Vietnam, Yemen, Zimbabwe.

See: https://wikipedia.org/wiki/List_of_Internet_top-level_domains for
Country Codes.

N.B. You might also consider adding / blocking your own country or
location, if it is not already included in the list. This will have
obvious benefits in increasing both your privacy and anonymity.

Additional: 'slow' internet countries (below 1000 kbps avg.) Avoid List:
Angola, Benin, Bolivia, Botswana, Burkina Faso, Burundi, Cameroon,
Central African Republic, Chad, Comoros, Republic of the Congo,
Democratic Republic of the Congo, Côte d'Ivoire, Djibouti, Equatorial
Guinea, Gabon, Guinea, Guinea-Bissau, Guyana, Liberia, Mozambique,
Namibia, Niger, Rwanda, Sao Tome and Príncipe, Senegal, Sierra Leone,
Swaziland, Tanzania, Uganda, Zambia.

See: http://www.akamai.com/stateoftheinternet/ for avg. internet speeds.

(3) Block potentially mis-configured servers using: ExcludeNodes

Mis-configured nodes might include: default or Unnamed servers etc.

(4) Select fast (high bandwidth) Entry servers using: EntryNodes

(5) Select fast (high bandwidth) Exit servers using: ExitNodes

Fast (high bandwidth) servers can be found here:
http://torstatus.blutmagie.de

N.B. Servers selected for this example Torrc have been chosen because
they are run by individuals or non-profit organizations with an interest
or involvement in supporting internet privacy and security, freedom of
speech and / or the free software movements i.e. torservers.net,
globenet.org, riseup.net, privacyfoundation.ch, privacyfoundation.de,
tor.noisebridge.net, fsf.org, team-cymru.org, eff.org and others.

(6) Use StrictNodes 1 to enforce the server selection.

N.B. "If StrictNodes is set to 1, Tor will treat the ExcludeNodes option
as a requirement to follow for all the circuits you generate, even if
doing so will break functionality for you. If StrictNodes is set to 0,
Tor will still try to avoid nodes in the ExcludeNodes list, but it will
err on the side of avoiding unexpected errors. Specifically, StrictNodes
0 tells Tor that it is okay to use an excluded node when it is necessary
to perform relay reachability self-tests, connect to a hidden service,
provide a hidden service to a client, fulfill a .exit request, upload
directory information, or download directory information. (Default: 0)"

(7) Use FascistFirewall 1 to force port 80 (http) and port 443 (https)
access.

N.B. "If 1, Tor will only create outgoing connections to ORs running on
ports that your firewall allows (defaults to 80 and 443; see
FirewallPorts). This will allow you to run Tor as a client behind a
firewall with restrictive policies, but will not allow you to run as a
server behind such a firewall. If you prefer more fine-grained control,
use ReachableAddresses instead." If you choose to do this then make sure
that your selected Nodes use port 80 and/or port 443

(8) Use UseEntryGuards 1 for increased security.

N.B. "If this option is set to 1, we pick a few long-term entry servers,
and try to stick with them. This is desirable because constantly
changing servers increases the odds that an adversary who owns some
servers will observe a fraction of your paths. (Defaults to 1.)"

(9) Use ClientOnly 1 for the Tor Browser Bundle.

N.B. "If set to 1, Tor will under no circumstances run as a server or
serve directory requests. The default is to run as a client unless
ORPort is configured. (Usually, you don’t need to set this; Tor is
pretty smart at figuring out whether you are reliable and high-bandwidth
enough to be a useful server.) (Default: 0)"

(10) Tips: Do add Authority servers to your EntryNodes list. Do add
ExitNodes as EntryNodes. Don't add EntryNodes as ExitNodes ! Do block
new 'bad' Nodes in ExcludeNodes.

Do check the status of the nodes that you have selected on a regular
basis. Do find and add new bridge nodes as EnrtyNodes if you require
them for access. If you have problems connecting to Tor then changing
FascistFirewall to 0 and/or StrictNodes to 0 will probably fix the issue.

Do read the Tor Manual: https://www.torproject.org/docs/tor-manual.html
> CLIENT OPTIONS

Remember: You can view or edit your Torrc file using Notepad.exe or
another text editor.

This example Torrc file will be updated when necessary, So do check back
here occasionally for a new version.

Thank you and safe browsing.


More information about the tor-dev mailing list