nusenu:
After looking at lots of malicious relay data of the past few months I've come to the conclusion that exit relays without ContactInfo are largely run by malicious actors.
I propose to make torrc's ContactInfo mandatory for exit relays with the following timeline:
tor 0.4.6: log a warning that tor will require ContactInfo to be set on an exit relays starting with tor v0.4.7
tor 0.4.7: no longer assign the exit flag to relays not having a ContactInfo (< 5 chars) in their descriptor. Log a warning for relay operators,
I'll add graphs that show exit fraction provided by exit relays without
ContactInfo over time
to OrNetStats.
Is this an effective remedy to deter malicious actors? No and it is not meant to be one. It is trivial to set a random non-empty ContactInfo, only in combination with other countermeasures it becomes actually useful.
ContactInfo is also mentioned in this draft: https://gitlab.torproject.org/tpo/community/team/-/wikis/Expectations-for-Re...
I'll make it easy for Tor Browser users to exclude exit relays without ContactInfo from their configuration. This might makes the proposal irrelevant should the release alone result in exits getting non-empty ContactInfos. More details will follow soon.
I don't think we should go to add something into tor. That's a lot of effort and additional code compared to the expected win. First of all, this is easy to game as you are mentioning. Secondly, and more importantly, we should instead catch such malicious relays when scanning or looking over the nodes joining the network.
Additionally, looking over the last couple of weeks and months it seems there are some non-malicious exit nodes with no contact info joining the network, too. There is the risk that we drive those relay operators away by a) raising the bar generally for entering the network and b) making it more confusing to setup relays by requiring some (even non-valid) contact info for exit relays yet not for non-exits.
So, yes, fighting against malicious (exit) nodes is an important and ongoing task but we should use the right means for that goal without adding additional burdens to exit node operators if we can help it.
(FWIW: on the client side there is still the HTTPS-only mode in the pipeline, which could easily be a game-changer here, too.)
Georg
kind regards, nusenu
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays