[tor-relays] let's make ContactInfo mandatory for exits (and warn others)

Georg Koppen gk at torproject.org
Sat Apr 24 19:37:40 UTC 2021 

nusenu:
> After looking at lots of malicious relay data of the past few months
> I've come to the conclusion that exit relays without ContactInfo are
> largely run by malicious actors.
> 
> I propose to make torrc's ContactInfo mandatory for exit relays with the following timeline:
> 
> * tor 0.4.6: log a warning that tor will require ContactInfo to be set on an exit relays starting with tor v0.4.7
> 
> * tor 0.4.7: no longer assign the exit flag to relays not having a ContactInfo (< 5 chars) in their descriptor. 
> 	     Log a warning for relay operators, 
> 
> 
> I'll add graphs that show exit fraction provided by exit relays without 
ContactInfo over time
> to OrNetStats.
> 
> Is this an effective remedy to deter malicious actors? 
> No and it is not meant to be one. It is trivial to set a random non-empty ContactInfo,
> only in combination with other countermeasures it becomes actually useful. 
> 
> ContactInfo is also mentioned in this draft:
> https://gitlab.torproject.org/tpo/community/team/-/wikis/Expectations-for-Relay-Operators
> 
> I'll make it easy for Tor Browser users to exclude exit relays without ContactInfo from their configuration. 
> This might makes the proposal irrelevant should the release alone result in exits getting non-empty ContactInfos.
> More details will follow soon.

I don't think we should go to add something into tor. That's a lot of
effort and additional code compared to the expected win. First of all,
this is easy to game as you are mentioning. Secondly, and more
importantly, we should instead catch such malicious relays when scanning
or looking over the nodes joining the network.

Additionally, looking over the last couple of weeks and months it seems
there are some non-malicious exit nodes with no contact info joining the
network, too. There is the risk that we drive those relay operators away
by a) raising the bar generally for entering the network and b) making
it more confusing to setup relays by requiring some (even non-valid)
contact info for exit relays yet not for non-exits.

So, yes, fighting against malicious (exit) nodes is an important and
ongoing task but we should use the right means for that goal without
adding additional burdens to exit node operators if we can help it.

(FWIW: on the client side there is still the HTTPS-only mode in the
pipeline, which could easily be a game-changer here, too.)

Georg

> kind regards,
> nusenu
> 
> 
> 
> 
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20210424/a01069a7/attachment.sig>

More information about the tor-relays mailing list