<div dir="ltr"><div>Is there anything Tor can do inside the Tor browser itself?</div><div></div><div>I would understand and support something as drastic as disabling non-HTTPS, non-Onion connections altogether. When the user types a URL with no protocol prefix, the browser will assume HTTPS.</div><div>This may break some websites, so a transition may be required. Such a transition can start with a warning banner, proceed to a warning page, then to a browser setting to enable it, and finally to disabling the capability for good.</div><div><br></div><div>The above assumes there is much less benefit in running a rogue Tor exit if the operator cannot see or alter the content it is relaying.<br></div><div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 14, 2020 at 1:25 PM niftybunny <<a href="mailto:abuse-contact@to-surf-and-protect.net">abuse-contact@to-surf-and-protect.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><a href="https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac" style="font-size:14px" target="_blank">https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac</a><div><span style="font-size:14px"><br></span></div><div><ul style="box-sizing:inherit;margin:0px;padding:0px;list-style:outside none none;color:rgba(0,0,0,0.8)"><li id="gmail-m_-6843071043679208027bb69" style="box-sizing:inherit;color:rgb(41,41,41);line-height:32px;letter-spacing:-0.003em;list-style-type:disc;margin-left:30px;padding-left:0px;margin-top:1.05em"><span style="font-size:14px">There are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08)</span></li></ul><div><span style="font-size:14px"><br></span></div><div>And on this one: I trust nusenu who told me we still have massiv malicious relays.</div><div><br></div><div></div><div><br></div><div><br><blockquote type="cite"><div>On 14. Aug 2020, at 19:12, Roger Dingledine <<a href="mailto:arma@torproject.org" target="_blank">arma@torproject.org</a>> wrote:</div><br><div><div>On Thu, Aug 13, 2020 at 03:34:55PM +0200, niftybunny wrote:<br><blockquote type="cite">This shit has to stop. Why are the relays in question still online?<br></blockquote><br>Hm? The relays are not online -- we kicked them in mid June.<br><br>We don't know of any relays right now that are attacking users.<br><br>Or said another way, if anybody knows of relays that are doing any attacks<br>on Tor users, ssl stripping or otherwise, please report them. I believe<br>that we are up to date and have responded to all reports.<br><br>That said, there is definitely the uncertainty of "I wonder if those<br>OVH relays are attacking users -- they are run by people I don't know,<br>though there is no evidence that they are." We learned from this case<br>that making people list and answer an email address didn't slow them down.<br><br>I still think that long term the answer is that we need to shift the<br>Tor network toward a group of relay operators that know each other --<br>transparency, community, relationships, all of those things that are<br>costly to do but also costly to attack:<br><a href="https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001" target="_blank">https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001</a><br><a href="https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html" target="_blank">https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html</a><br><a href="https://lists.torproject.org/pipermail/tor-relays/2020-July/018669.html" target="_blank">https://lists.torproject.org/pipermail/tor-relays/2020-July/018669.html</a><br><br>But the short term answer is that nobody to my knowledge has shown us<br>any current relays that are doing attacks.<br><br>Hope that helps,<br>--Roger<br><br>_______________________________________________<br>tor-relays mailing list<br><a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a><br><a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br></div></div></blockquote></div><br></div></div>_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
</blockquote></div>