On 09.07.2020 00:20, Jonas wrote:
If you can detect the "bad relays", why not simply flag them and move on?
I agree with you for publicizing bad relays and locking them faster. Personally, I blocked some exits in my Tor browser. E.g. these expensive high bandwith (unnamed & without mail contact) https://metrics.torproject.org/rs.html#toprelays
A few concerns about the proposed plans. Putting a validated email address in a public field is a concern. It becomes trivial to scrape the address and spam the relay operator. Personally, this is a problem for now (2,500 spam emails in the past week).
However, the validation email address only needs to be available for a short time. Many providers require that you have an abuse address for an exit server. I have my email not obfuscated and hardly get any spam. And when I get some, I will change it. ;-) https://metrics.torproject.org/rs.html#search/TorOrDie4privacyNET (greylisting, amavisd & spamassassin can help)
Require PGP/GPG is silly. It is a failed system and is easily exploited to find all connections in a social network map. Even the US EFF wants you to stop using it[1]. The system was exploitable for a > decade before users noticed.
PGP/GPG should be used here for verification, not for encryption. Every Debian or Githup package is GPG signed.
With this scenario, we are all a single legal request away from a government agency having all of this data. I understand the USA and EU abuses this system constantly with secret requests. Police and intelligence agencies already have thousands of idle shelf companies waiting to be used.
I am sure that they have direct access to DNS Whois address owner. And the address lists of large providers (Hetzner, OVH and Online S.a.s) will have had them for a long time. Old rule: 'follow the money'. Anyone who does not use Monero to pay for their servers @ provider is known to them. Combating terrorism and child pornography makes it possible. They don't have to come to the Tor Project office with a legal request ;-)
Tor Project has my address and bank details for a long time. The people from the CCCCologne know where I live anyway. Ah, and niftybunny too.