Traffic routed through Sweden

F. Fox kitsune.or at gmail.com
Wed Jul 2 20:23:43 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

M wrote:
> First of all, some informationa about the situation:
> http://frapedia.se/wiki/Information_in_English
> 
> I'm running two nodes in Finland, very restricted exit poliecies
> (googles ip's, scroogle, https, pops and imaps allowed).
> 
> Circa 90% of traffic originating from Finland and going outside of
> Finland is routed through Sweden (that bites a lot).
> 
> As Swedish FRA is listening, logging, building "sosiograms" and trying
> to decrypt all traffic going through their borders should I be worried
> about my exit nodes? Should I do something about exit-policies?
> 
> Encryption does protect the data but it does not protect from tracking
> who is in connection with who. As I run exit-nodes that routes traffic
> about 2Mb/s/2Mb/s - 10Mb/s/10Mb/s and 4Mb/s/4Mb/s I'm getting my fair
> share of tor's traffic. So.. FRA is building a nice file of my ip and
> thinks that everything coming from tor is really traffic originated by me.
> 
> M
> 
> ps: as always, sorry for my bad "fenno-english".

It really depends on whose privacy you're worried about. Allowing exits
only on ports that typically are used with end-to-end encrypted
protocols*, should help limit the amount of information the FRA can
gather; while they can tell what's being accessed, they can't get the
much deeper "psychological" info that could be gathered from content.

I don't think that even with unencrypted traffic, that it would be a
major threat to the anonymity of the clients entering the network
somewhere else** - the main worry, as I see it, would be if they thought
it was from you.

As mentioned before, the best you can do as an exit node (for your own
protection), is to allow ports that tend to be used with encryption.



*: Others have pointed out that many ports which are commonly associated
with encrypted protocols may - in practice - actually be used without
encryption. This can be due to protocols which support either plain or
cipher mode (e.g., Gmail's SMTP on TCP 587), or to deliberate hackery
(e.g., someone could run a standard HTTP server on TCP 443, in order to
get around an ISP block of TCP 80 [although if they're at that level,
I'd figure they'd just use HTTPS for the extra privacy =;o) ]).

(In a manner of speaking, I'm doing repurposing of a port in this manner
- - although Tor uses SSL, I'm using TCP 443 for onion routing, rather
than its "normal" purpose as an HTTPS server.)

**: FWIW and IMHO, I believe that much of the privacy and security of
clients not only has to be, but *should be* left to them. Stopping
Darwin and bottle-feeding those with inferior skills and/or capacity
only drags down the human race. Those who can, will learn; those who
cannot, will suffer the consequences.

- --
F. Fox
AAS, CompTIA A+/Network+/Security+
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSGvjzuj8TXmm2ggwAQiYGhAArVhD0iX88t+jqq2eBWzLzCor5n2O0y2Z
PE6/3hzXNZ4/bzWINyY75kS01V5GX65+JlAmZwqWsg1wg8kQFvSOMptwXANspgUN
7YSAVUjCnsfkvv0rocb1rzFKRa2X+qqG32dTwYC86VL/i8mHXTHC3aFfdmMCV9Qm
OAUYSN/4xXSop8B4f65n2Wk9DsyZNEFYF0gGPxtOzFKru5+GZiHNGJZXVPD2JzSG
CJ9EG6oub6p91mBYExyXPg6vuiiDXOOQMyS0j+NNeeUV8yN4fANGBpp1sr7JPbGM
lifDWGrV1yfrFA0/tdWvpan0ltO399zeSS6nFqd+KekMvdKiPuAXHeg67XbSucZg
/Iz8ELfXC/81rD/tkTc00ghnJ5XWxtgJMjZvZ15ADNxPXMy9r9rG/exzEdqs3QiB
zFM3F95DP3No/8QWFar11U4KEDnxL4t0xYY9sYJw+irFAVpkjXyo/EavPOvjqfhu
BDyBkUljWda6UYN39anZVN9xKhmFl+ZiO+ZbrRX4r4cgWe4HO4X4pOowb5oqrbLM
jmrzdV1UGR4HK644N34vhuMXKmQNa7ztq7kx4oFGs8k7C8RerI8un2UEctLkMioT
7o+zUvxSpt3KPqHedKcMrbMYnZ6g11w6NNQz1vGYZrh22eVMvITPRXb/WYbX4FaB
+/pzrnLk4u4=
=0z1r
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list