[tor-relays] >23% Tor exit relay capacity found to be malicious - call for support for proposal to limit large scale attacks

Sun Jul 5 21:21:31 UTC 2020

Thanks for the detailed reply, nusenu. Looks like you thought this
through really well.

It would be nice if Tor core people would chip in on this as well!
@arma, @teor maybe?

See my further comments inline.

On Sun, 2020-07-05 at 22:50 +0200, nusenu wrote:
> I believe you can have a valid ContactInfo and privacy.

I do too, but I hope that prospective operators think so as well.

> > Of course, in your proposal that information would only be shared
> > with the directory authorities
> 
> That is not necessarily the case if the ContactInfo field is used
> without encryption, basically it is not specified yet.
> 
> > but do we have any numbers on how many relay operators are okay
> > with this?
> 
> I can only give you numbers based on the current tor network data
> (but that is not an answer to your question since it does not reveal
> anything about the operator's intention)
> 
> ~71% of tor's guard capacity has a non-empty ContactInfo. 
> About 700 guard relays have no ContactInfo set and are older than 1
> month.
> 
> ~89% of tor's exit capacity has a non-empty ContactInfo. 
> Only about 60 exit relays have no ContactInfo set and are older than
> 1 month.

Those numbers look encouraging to me. It's good to see that most
operators are doing things the right way, i.e. being reachable in case
something happens to their relay. Still not 100% though.

> The reasoning behind the specific threshold will be covered
> in more detail in the upcoming blog post.

Now you're making me really curious.

> In fact, my initial email went to many operators (after the mailing
> list was not happy with so many recipients
> I did resend it to the list without the others in TO, so
> unfortunately you no longer see the full list of recipients),
> but yes, that is the point of this email - getting feedback from
> operators, especially from big ones.
> I a few replied already.

That's great! Let's see what they think.

> > It is definitely an interesting idea, one that I have not thought
> > of at least. But I'm not sure if it would be effective at
> > preventing what it tries to prevent.
> 
> Yes, that is basically the key question and since there appears to be
> a lot of money involved in running malicious relays, they certainly
> have enough money to buy some office services in some random place
> and get a physical address verified but one of the other factors of
> the proposal is also the additional time required for an attacker to
> go trough the process and that it can no longer be automated
> completely.

It would be very interesting to know who pays for that. If we figure
that out, then maybe we can pursuade them to donate that money to the
Tor Project instead. \s

Imre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200705/4da59048/attachment.sig>