John Ricketts:
I am about to fire up more Exit Relays and if I do so I will jump from my roughly 3% of Exit Probability to what technically could easily reach 6-8%.
I would like to know everyone’s opinion on having an individual operator have that much exit share. In my case, all the traffic would be coming from the same AS as well, but distributed over four different cities with different upstream carriers.
Please chime in, if I get the a green light from the discussion it will happen within a month.
First of all: Thank you for growing the tor network exit capacity and being open about your plans.
Big operators should be aware that they are more likely to be a person/group of interest to certain non-friendly entities than others. Ideally they take this risk and responsibility seriously and operate their relays accordingly.
With a growing size of a single operator stability, availability and recovery time becomes also more relevant. A single small operator going down is NOT an issue that many would notice, but an operator running 10% exit prob. will more likely cause some noticeable impact.
The usual points apply but become more important with the increasing cw/exit fraction of an operator.
These are not meant as questions, just food for thought:
- timely reaction to new security updates - 24/7 operations? auto-updates? - configuration management - family management - geo diversity - time to recover from complete relay(s) compromise (without rekeying) (> Are relays operated in OfflineMasterKey mode?) - security monitoring and alerting? - management workstation exposed to Internet? browsing? email? attacks) (dedicated machine? Qubes OS?) - direct peering and connectivity for a short path to common targets (like emeraldonion does) - servers used for tor only? (no shared use cases) - abuse handling - legal risks? - upstream diversity - in-operator OS diversity