On Wed, Dec 07, 2016 at 02:25:03PM +0200, Rana wrote:
On Wed, Dec 07, 2016 at 11:51:34AM +0000, Matthew Finkel wrote:
On Wed, Dec 07, 2016 at 01:25:59PM +0200, Rana wrote:
I mean, why aren't some exit nodes kept hidden, at least partially and temporarily, like bridges? This would mitigate web services denying service to Tor users (Gmail is the most recent example), plus would increase security.
I'll simply refer you to the FAQ:
That was rude of me, answer below. Do you disagree with the reasoning?
That was not rude at all, thank you for the reference to the FAQ. I largely got a satisfactory explanation there although points (b) and (c) might be controversial.
The one point I find difficult to agree with is "(a) We can't help but make the information available, since Tor clients need to use it to pick their paths." If bridges can be hidden and provided to clients on as-needed basis, so can exits.
Yes, this is true, and it's a topic that comes up every couple years. But, there are significant differences between bridges and exits. First, choosing your circuit's exit manually is a usability nightmare and could destroy your anonymity. Even if you give your tor client a small set of "hidden" exits, over time traffic from these nodes will be linked to your connections and they will be linked to Tor. It's not easy for users know when this happens. Tor tries extremely hard at preventing users from hurting themselves.
Research has shown that bridges (and guards) should be used for longer periods of time, but if you use an exit for too long then you risk leaking too much information about your behavior (to both the exit and the destination server).
Similarly, using a hidden exit becomes more risky if the user is already using a bridge because there is (currently) less oversight of the bridges than there is for the public network. This would likely be true for hidden exits, as well. This presents the problem that traffic analysis attacks against a small subset of Tor users become incredibly easy.
When it comes to hidden nodes, they never remain hidden forever. Some adversaries already crawl the list of bridges and block them, other adversaries would do the same if some exit nodes were not public.