[tor-dev] design for a Tor router without anonymity compromises

warms0x warms0x at riseup.net
Sun May 3 18:16:51 UTC 2015

On Sat, 2 May 2015 20:37:17 -0700
coderman <coderman at gmail.com> wrote:

> a friend and i are working on a Tor router design that doesn't
> compromise anonymity for convenience. [0][1][2][3][4]
> we're soliciting feedback as part of a go / no-go decision on
> continuing this effort.
> in particular, the design is intended to meet the scrutiny of Nick M.,
> Roger, and Mike P.  as the focus on support for Tor Browser and Tor on
> each client indicates.

I am bored so I figured I would read this big document, here are some
comments from somebody who doesn't matter:

1.3 > Warning conditions:

Is the "Client privacy leak detected" meaning the software would warn
in the case of a LAN client attempting to make an unsecured connection
or leak DNS data or somteihng like that? Provided the leak never makes
it off the routing device, then I think that is an acceptable warning
but if it leaves the device that's a pretty critical error in my

2.4 > Device software and configuration technical requirements

"Require VPN on local WiFi and Ethernet network " does this mean VPN
connection to the router itself, as in establishing an IPSec tunnel
from LAN_1 --> [Router] before any layer four traffic is allowed? I see
the FAQ about Wifi, which makes sense, but extending the VPN
requirement to the physical network I find odd.

I suggest also adding mandatory audit logging to the scope of the
router software. In my opinion any and all state changes, whether
automatic (Tor circuit change) or manual (administrator changing
configuration) must be logged.

2.5/2.6 > Privacy Directory Requirements

Is the expectation that every client attached to the router would be
running this privacy directory software or only the router
administrator(s)? In the former case, is there any bad exit indication
that could/would be made to the clients?

How is authentication and authorization of this privacy director
software going to be performed with the router? In 1.2 the router would
be passwordlessly set up, but after that how would an administrator
ensure that only they are able to mutate the device set up?

Also "Filter local traffic that is not Tor when active", does this mean
that the privacy director software will require escalated privileges on
the numerous platforms into order to modify local firewall states?

Interesting effort, good luck


More information about the tor-dev mailing list