[tor-relays] Who is running the two biggest Exits in the network?

Sat May 27 20:00:35 UTC 2017

Hi Paul,

Paul:
> 
> I agree with that part.
> 
> But sometimes it helps to look and think things from an extreme point 
> of view:
> Let's assume the whole TOR would be anonymous in a way that you cant
> see contacts not even nicknames. Where in this scenario should TRUST
> derive from? Would you or anybody rely on that network, if you not at
> least know a certain number of people who give their dedication, work,
> money, for the project, people with total conviction doing the right
> thing. I guess you wouldn’t - at least I wouldn’t do so. So now you
> can go back, step by step and ask how many of those people, with how
> many servers under their control you need, until you come to the point
> where it's not enough any more.

Firstly, remember that it's Tor not TOR! :)

I think it is important to remember that malicious nodes are part of the 
threat model, with the caveat that we assume that we are not faced with 
a global adversary that can see all traffic flowing in, out, and 
between.
This problem of lack of contacts, as nusenu wrote, it is important to be 
able to contact people (I was wrong on that one before, so thanks for 
the correction), but it can be faked by people with bad intentions.
I don't think we should trust the nodes per se, but we are assuming that 
the malicious nodes are not all controlled by the same person, or 
groups.
This is actually a great example of where we should be using and pushing 
for hidden services - by doing that we eliminate having to put some 
degree of trust into the exit node operators. Good practice such as 
checking signatures on files, using an encrypted connection, etc, are 
all necessary with or without using Tor.
It's also a fun exercise to do a trace route on your regular Internet 
connection. Often it goes on a quite esoteric route, through multiple 
routers, and through multiple countries. It is worth remembering that 
with Tor, we can kick bad nodes off the network, if we have reason to 
believe they are acting maliciously or are likely to do so.

> As I personally prefer having a high number of known volunteers, I can
> tell that I dislike two or three servers - holding more than 4.5%
> Exit-prob. during peak time -run by (a) person(s) nobody knows -
> especially when there is a very high probability that they attack
> useful targets
> http://www.hackerfactor.com/blog/index.php?/archives/762-Attacked-Over-Tor.html
> !
> 

Again, it's important to understand that even if the volunteers are 
"known" to the extent there is plausible contact information, that they 
create a MyFamily configuration, even then, they may have their software 
compromised, they may be coerced, or they may harbor downright bad 
intentions.
I would also be quite uncomfortable with a high number of volunteers 
that have some mark of trust. It centralizes too much, and I believe 
that would be a point of weakness. There already are a number of people 
who are well-known in the Tor community, and run large relays, one 
should note.
Furthermore, it is worth noting that the article there is really quite 
flawed for a number of reasons - e.g. misplaced faith in GeoIP, surprise 
that poorly written malevolent bots with exist, misunderstanding about 
how to contact the Tor project - but that has been discussed elsewhere, 
no doubt. At any rate, I am unsure how it demonstrates that we need 
known people to run relays.

Best,
Duncan.