[tor-dev] Scaling tor for a global population

Griffin Boyce griffin at cryptolab.net
Mon Sep 29 07:32:03 UTC 2014

   I'd say that the idea to 'downgrade' people into being bridges is a 
good one, if done without requiring user input.  'Everyone run a relay' 
might only be useful because so many of the people we say it to have 
fast connections.  It seems reasonable to filter out persistently low 
connections (and allow them back in if their connection speed improves). 
  That is not to say that every potential bridge should actually be 
accepted as a bridge.  The 28B/s bridge is nuts - either it's on an 
embedded device or their torrc is misconfigured.

   What I usually recommend is to users is based on their bandwidth and 
how frequently their IP changes.  If their connection is fast and their 
IP never changes (eg, a desktop or server), then run a non-exit relay 
[2].  For a laptop that moves to-from work, then a relay or bridge.  If 
it moves a *lot*, use Cupcake (which is a wrapper for flashproxy).  
Running a relay on a raspi or a router (?!) is not a great idea -- 
though people attempt both.  If things could gracefully switch from 
being a relay to a bridge based on their speed, then that would actually 
make it more straightforward for users because they don't have to worry 
about whether they should be a bridge or relay.

   People can't really estimate their own bandwidth without something 
like NDT, but they have an idea of how fast it is. eg, this connection 
is 21Mb/s up, 6mb/s down, but that's mostly irrelevant because my 
perception of it is that it's Fast.  That perception would be the same 
if I were getting 2Mbp/s up/down.  So maybe one non-technical change we 
can make is to user education and website documentation -- run a relay 
if you have a Fast connection.

   Filtering people out based on advertised bandwidth is tricky - 
advertised bandwidth is only useful if it's based on reality.  250kb/s 
seems like a reasonable floor for both relays and bridges.  100kb/s is 
kind of the sanity check for a distributed bridge - if it's below that, 
it's not useful enough IMO.

   The real questions for me are: how much of a gain is possible? and 
what is the right balance between number of relays and speed of those 
relays?  and I suspect that until something is tried, it may just be 


[2] No one should be running an exit from home, and no one who is asking 
me about this at an event should be running an exit.

"I believe that usability is a security concern; systems that do
not pay close attention to the human interaction factors involved
risk failing to provide security by failing to attract users."
~Len Sassaman

More information about the tor-dev mailing list