Safe destinations

Michael cozzi at cozziconsulting.com
Fri Jul 3 09:46:56 UTC 2009


Gregory Maxwell wrote:
> There are many people who would like to run tor exits but whom don't
> because of the inevitable flood of abuse complaints.
>   

    Agreed.

> At the same time, there are a great many high traffic destinations on
> the internet which have little to no complaint potential because they
> are effectively read-only or are otherwise understood to be
> tor/anonymity friendly.
>
>   

    Agreed.

> Examples include most news sites, virtually all CDN services (used to
> distribute images by large sites), freenode IRC, Wikipedia, other
> anonymity services, search engines, and probably most instant
> messaging networks (?).
>
>   

    Agreed.

> Right now nodes can attempt to exit to only to safe locations and
> protocols by carefully crafting their exit policies but this takes a
> fair amount of work to maintain, clutters up the directories, and
> risks making the exit look like a single-purpose-password-sniffer.
>
>   

    Disagreed. I'm not sure how a limited exit policy makes a defacto 
statement about the intent of the administrator. Any exit node could be 
used for cleartext snooping. Even a node with permissive exit policies 
can be snooped selectively.

> How awful would it be to create a community managed list of 'safe
> destinations' distributed by the directory servers as a single object
> which exit operators could include in in their exit policies and
> further refine with local rules?
>
>
> Some exit operators would likely switch to safe-mode, reducing the
> total amount of universal-exit capacity but if the safe list included
> enough high traffic sites it would probably more than offset the loss
> and arguably anyone who switched was likely to quit in any case.
>   

    Gregory, while the behavioral outcome of what you are proposing is 
speculation, you would also have to expect that many (some) non exit 
relays would choose to exit to safe services. My guess is that overall 
network bandwidth would go up.

    A community maintained list, not associated with the Tor Project, 
might provide an answer. We could easily dig up all the IP/port 
information needed to create "safer" exit policies.

    I still like the idea of allowing administrators the ability to 
create a rule in the form of:

    Accept *.google.com:80
    Accept *.google.com:443

    From my standpoint it seems most functional from an exit node 
operator's standpoint.

    From a technical standpoint I have little idea what it means to the 
directory for additional rules like this to be included. At face value 
it may be trivial (please notice the word "may"). I'm also not a good 
enough programmer, so I really can't dive into the Tor source and be 
able to tell the issues involved with my suggested *.domain.tld:port 
statement.

    I've been doing a little code monkeying in python with the idea of 
being able to create a list of *.domain.tld:port lists with an automated 
output to torrc followed by a HUP. Sadly, in order to pull this off with 
any real elegance, I need to be able to get a zone transfer from the 
target domain's name server- which is not likely. However, it does work 
on my own domains and name server. So the concept at least works for 
local domains.

    At this point it's still easier to grope for the DNS information, 
and construct IP:port exit rules by hand.

    Michael



More information about the tor-talk mailing list