[tor-relays] Comcast blocks ALL traffic with tor relays

[s7r]

xmrk2 via tor-relays wrote:
> Any ideas on how to combat this? I was thinking about including some 
> false positives in tor relay list. Imagine including some Google 
> servers' IP addresses - Comcast customers suddenly cannot connect to 
> Google, unless Comcast stops this blocking... or simply whitelists 
> Google. But those false positives sound ugly and a bit malicious, not 
> sure it is a good idea.
> 

This sucks big time, if true. I am trying to ping Comcast from a middle 
relay IP address and it seams, to work, I guess you mean AS33651 - 
Comcast Cable LLC. Anyway, it could be, at latest consensus there is no 
single relay (middle or exit) hosted in AS33651.

I am not sure about the false positive solution, I see only downsides, 
including but not limited to:

- it's not ethical for Tor Project to do this, e.g. stating another 
company's infrastructure (say Google IP address space) is part of a 
network when in fact its not. I get it that the goal is privacy oriented 
and in good faith (freedom faith) but it seams rather inappropriate;

- there is no evidence that a blocker might use a list of relays 
provided by Tor Project's metrics portal (I am confident nobody does it 
because it's less effective) - they can just run a Tor client and get a 
copy of a consensus and extract from there IP:PORT IPv6:PORT and do from 
there whatever they please;

- if you include such false positives in the consensus you have to 
simulate dummy Tor relays on those "hot" IP addresses, like providing an 
onion key, RSA identity and ed25519 identity, thus looking like a relay, 
state some bandwidth for it, etc - in this case how will a Tor client 
know which relay is dummy and which not, in order not to try to 
establish circuits that fail, ultimately producing a terrible user 
experience for all users. Same applies for other relays, not just 
clients, that need to produce connections with the dummy relays. If we 
somehow mark them as "dummy", it will be pretty stupid and obvious and 
waste of effort as the blocker can simply understand the "dummy" marker 
and it's done, I guess it's pretty obvious.

> I already wrote about this publicly, and also wrote a mail to EFF. Hope 
> I am not spamming, I feel this is quite important issue and am a bit 
> frustrated by the lack of attention it gets.
> 

Not at all, this is very interesting and not spamming at all. I think it 
is unacceptable for this to happen, and I think all Comcast customers 
should quit if this is true - large internet corporations are trying to 
move on from "IP address identifications" as in only a beginner that 
discovered the internet one week ago still thinks of the IP address as 
"identification of a certain individual / entity", everybody is moving 
to advanced layers of authentication on per device basis, cryptographic 
public key, etc. Comcast if they do such a thing they set themselves 25 
years behind the industry they operate in. And this can create many 
unwanted effects, someone should try to do something about this but I am 
not sure what we Tor volunteers *can* do to help with this, especially 
the ones that are not Comcast customers. EFF is the best start IMO.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230612/7b522b58/attachment.sig>