[tor-relays] Reminder: don't run transparent proxies at exits

grarpamp grarpamp at gmail.com
Mon Jan 12 06:04:58 UTC 2015


On Fri, Jan 9, 2015 at 10:26 PM, Drake Wilson <drake at dasyatidae.net> wrote:
> eric gisse wrote:
>> Plus the logic starts to get warped when you wonder "So do you BadExit
>> every node that runs on an ISP that caches traffic?"
>>
>> What about ISP's (and openDNS) that NXDOMAIN trap to insert advertising?
>
> These, I think, are more general points that have not adequately been
> resolved anywhere, though I think the vague consensus has been that the
> latter merits a BadExit at the moment.  Indeed the basic idea of "exits

An external NX ad trap is a bit tertiary since the exit is truly
representing its view of the net.

As far as http caching, it would be relatively fine IF the cache
truly did good practice, and IF the site truly did good design
for the cache to follow. However those two necessary truths
are often false, whether by AND or XOR context. So to be
true, a cache shouldn't be deployed, but in the interest of
bandwidth they are, more commonly at small end-tier user
access ISPs (including exits) for that purpose.

I'd suggest best practice is for
- users to use https to bypass
- caches to insert their tagline in http headers so
users can bitch to the owner.
- Tor exits? Well, they're volunteer paid diversity, so which is
more valuable to you? The IF's above, or TCP truth at
potential cost to diversity?

I prefer TCP truth, but if I was a constrained operator
I'd do my best research into setting up a quality cache.
Provided caching images of ill repute on disk were not
an overriding concern.

Last, the badexit projects should probably try to
assess the current state of caching quality in order
to further suggest practices for operators.


More information about the tor-relays mailing list