[tor-dev] Is it possible to run private Exit nodes?

Paul Syverson syverson at itd.nrl.navy.mil
Wed Aug 8 19:24:36 UTC 2012 

On Wed, Aug 08, 2012 at 06:19:16PM +0000, Robert Ransom wrote:
> On 8/8/12, SiNA Rabbani <sina at redteam.io> wrote:
> > I have been running private bridges for my VIP contacts for a long time.
> > I use PublishServerDescriptor 0 to keep my bridges private.
> >
> > Is it possible to also run a private Exit node?
> 
> Yes, but (a) anyone who notices that it exists can use it, and (b) it
> would be very risky for anyone to make their Tor client able to use a
> private exit node (it could identify them as someone who knows that
> that exit node exists, even if they aren't currently trying to use
> it).
> 

Saying it is very risky seems too strong and too general. A very
likely threat model could comprise a client-local attacker that you
don't want seeing your destinations or your private exit, together
with the threat of a (colluding or non-colluding) hostile exit node
that you don't want mucking with or recording your exiting traffic. In
that setting you would be better served using a private exit than a
public one chosen using current Tor defaults.

Yes you would be subject to epistemic attacks. (You probably want to
also do some sort of layered guards to protect against the middle node
creating a pseudonymous client profile _if_ that is also a threat you
care about. For that matter, if you ever use this to go to a hostile
server or to a server over hostile underlying network, your adversary
will get a pseudonymous profile of you via the traffic coming from
that private exit---if it is recognized qua exit.) Also, won't the
middle relay balk at extending to an unlisted exit unless the middle
relay is itself an exit? (Can't recall where the checks happen.) This
will also flag you as quite different to the middle relay.

My main point is that, despite all this, there may be other threats
that are more significant to you that are less well protected by
current Tor defaults than a private exit would be. This isn't
something to recommend as an easy option for generic users, but it is
likely to make sense for some.

As another motivation, you might want to access a server (your own or
someone else's) through Tor that only accepts connections from certain
IPs and ports that are not to be found among the policies of available
Tor exits (or Tor exits you would trust). Another ill-understood
shifting in both security and performance that might be worth it.

aloha,
Paul

More information about the tor-dev mailing list