I have been running private bridges for my VIP contacts for a long time. I use PublishServerDescriptor 0 to keep my bridges private.
Is it possible to also run a private Exit node?
What would happen, if I hard coded an exit into my torrc that is not published (if possible at all)?
All the best, SiNA
On 8/8/12, SiNA Rabbani sina@redteam.io wrote:
I have been running private bridges for my VIP contacts for a long time. I use PublishServerDescriptor 0 to keep my bridges private.
Is it possible to also run a private Exit node?
Yes, but (a) anyone who notices that it exists can use it, and (b) it would be very risky for anyone to make their Tor client able to use a private exit node (it could identify them as someone who knows that that exit node exists, even if they aren't currently trying to use it).
What would happen, if I hard coded an exit into my torrc that is not published (if possible at all)?
Nothing. You also need to feed its descriptor to Tor using the control port.
Robert Ransom
On Wed, Aug 08, 2012 at 06:19:16PM +0000, Robert Ransom wrote:
On 8/8/12, SiNA Rabbani sina@redteam.io wrote:
I have been running private bridges for my VIP contacts for a long time. I use PublishServerDescriptor 0 to keep my bridges private.
Is it possible to also run a private Exit node?
Yes, but (a) anyone who notices that it exists can use it, and (b) it would be very risky for anyone to make their Tor client able to use a private exit node (it could identify them as someone who knows that that exit node exists, even if they aren't currently trying to use it).
Saying it is very risky seems too strong and too general. A very likely threat model could comprise a client-local attacker that you don't want seeing your destinations or your private exit, together with the threat of a (colluding or non-colluding) hostile exit node that you don't want mucking with or recording your exiting traffic. In that setting you would be better served using a private exit than a public one chosen using current Tor defaults.
Yes you would be subject to epistemic attacks. (You probably want to also do some sort of layered guards to protect against the middle node creating a pseudonymous client profile _if_ that is also a threat you care about. For that matter, if you ever use this to go to a hostile server or to a server over hostile underlying network, your adversary will get a pseudonymous profile of you via the traffic coming from that private exit---if it is recognized qua exit.) Also, won't the middle relay balk at extending to an unlisted exit unless the middle relay is itself an exit? (Can't recall where the checks happen.) This will also flag you as quite different to the middle relay.
My main point is that, despite all this, there may be other threats that are more significant to you that are less well protected by current Tor defaults than a private exit would be. This isn't something to recommend as an easy option for generic users, but it is likely to make sense for some.
As another motivation, you might want to access a server (your own or someone else's) through Tor that only accepts connections from certain IPs and ports that are not to be found among the policies of available Tor exits (or Tor exits you would trust). Another ill-understood shifting in both security and performance that might be worth it.
aloha, Paul