xmrk2 via tor-relays wrote:
Any ideas on how to combat this? I was thinking about including some false positives in tor relay list. Imagine including some Google servers' IP addresses - Comcast customers suddenly cannot connect to Google, unless Comcast stops this blocking... or simply whitelists Google. But those false positives sound ugly and a bit malicious, not sure it is a good idea.
This sucks big time, if true. I am trying to ping Comcast from a middle relay IP address and it seams, to work, I guess you mean AS33651 - Comcast Cable LLC. Anyway, it could be, at latest consensus there is no single relay (middle or exit) hosted in AS33651.
I am not sure about the false positive solution, I see only downsides, including but not limited to:
- it's not ethical for Tor Project to do this, e.g. stating another company's infrastructure (say Google IP address space) is part of a network when in fact its not. I get it that the goal is privacy oriented and in good faith (freedom faith) but it seams rather inappropriate;
- there is no evidence that a blocker might use a list of relays provided by Tor Project's metrics portal (I am confident nobody does it because it's less effective) - they can just run a Tor client and get a copy of a consensus and extract from there IP:PORT IPv6:PORT and do from there whatever they please;
- if you include such false positives in the consensus you have to simulate dummy Tor relays on those "hot" IP addresses, like providing an onion key, RSA identity and ed25519 identity, thus looking like a relay, state some bandwidth for it, etc - in this case how will a Tor client know which relay is dummy and which not, in order not to try to establish circuits that fail, ultimately producing a terrible user experience for all users. Same applies for other relays, not just clients, that need to produce connections with the dummy relays. If we somehow mark them as "dummy", it will be pretty stupid and obvious and waste of effort as the blocker can simply understand the "dummy" marker and it's done, I guess it's pretty obvious.
I already wrote about this publicly, and also wrote a mail to EFF. Hope I am not spamming, I feel this is quite important issue and am a bit frustrated by the lack of attention it gets.
Not at all, this is very interesting and not spamming at all. I think it is unacceptable for this to happen, and I think all Comcast customers should quit if this is true - large internet corporations are trying to move on from "IP address identifications" as in only a beginner that discovered the internet one week ago still thinks of the IP address as "identification of a certain individual / entity", everybody is moving to advanced layers of authentication on per device basis, cryptographic public key, etc. Comcast if they do such a thing they set themselves 25 years behind the industry they operate in. And this can create many unwanted effects, someone should try to do something about this but I am not sure what we Tor volunteers *can* do to help with this, especially the ones that are not Comcast customers. EFF is the best start IMO.