Such a clear explanation would be good to see on torproject.org.
 


-----Original Message-----
From: nusenu-lists@riseup.net
Sent: Sat, 04 Jan 2020 11:44:00 +0000
To: tor-relays@lists.torproject.org
Subject: Re: [tor-relays] Exit Concentration vs Bulk filters?

> I never heard a real technical reason to avoid
> high concentration of Tor exit capacity.

Let me give you a few examples why a distributed network is in some ways
more resilient to attacks and harder to observe than a centralized.

Observability

If all traffic leaves the tor network at a single or very few places, surveillance becomes a lot easier and cheaper
when compared to a network that is distributed and has many exit locations.

Resiliency against outages

If all capacity is concentrated around just a few locations, local issues/outages have a bigger impact
on the overall availability and capacity of the network.

Resiliency against software vulnerabilities

A single operator tends to setup their systems in a relatively similar manner.
Most of its relays will use the same OS, OS version, SSL library, tor version, hardware architecture
and have a similar good or bad patch level.
In such an environment it is more likely that a single vulnerability affects large portions when compared
to a diverse ecosystem. A homogeneous ecosystem also reduces the cost for exploit development.

Resiliency against security breaches

If an hypothetical operator controlling 1/2 of the network gets compromised the impact is a lot bigger than
if they were to run 1%. The incentive for an attacker to compromise an operator running 50%
of the network is also a lot higher than attacking an operator of 1%.

Risk of detection
The risk of detection is likely higher for an attacker that compromises multiple organizations compared to a single
victim.

Cost of attacks
Compromising all relays operated by a single entity is likely cheaper than compromising all relays
run by multiple independent organizations.

Performing a hijacking attack against a single prefix is probably easier than successfully hijacking multiple independent
prefixes with different upstream providers concurrently and harder to remain undetected.

A DDoS attack against a single AS is likely cheaper than against many targets at the same time.


There are also non-technical (organizational and legal) reasons why having a distributed
network capacity is beneficial to the tor network.

Legally attacking many organizations is more expensive than a single one.
If a single operator no longer has the financial capacity or motivation the removal of their relays should not
have a existential impact on the network.
If the policy of a hoster changes from 'tor relays allowed' to 'tor relays forbidden'
than we better not run all our capacity at a single hoster.


In short, you don't want to make the tor network depend on 1-2 or 10 but many.
So if a few operators disappear the network remains functional and available
and is generally harder to attack.

kind regards,
nusenu

--
https://mastodon.social/@nusenu
https://twitter.com/nusenu