[tor-relays] Recent rejection of relays

z-relay at zestypucker.anonaddy.me z-relay at zestypucker.anonaddy.me
Wed Nov 10 21:14:58 UTC 2021 

I'll throw in my 2 cents.

Limitations with current approach:

1. Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages. This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.

2. Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?

Some suggestions to consider:

1. Since the DAs and the relays already know each others' IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.

The messages can be something along the lines of "Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.".

2. As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I'm sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.

________________________________
From: Georg Koppen 'gk at torproject.org' <z-relay+tor-relays=lists.torproject.org at zestypucker.anonaddy.me>
Sent: Wednesday, November 10, 2021 6:40 PM
To: z-relay at zestypucker.anonaddy.me <z-relay at zestypucker.anonaddy.me>
Subject: Re: [tor-relays] Recent rejection of relays


Jonas via tor-relays:
> Where is this criteria documented?

I am not sure what criteria you mean but we have our bad-relay
criteria[1] documented at our wiki and keep fingerprints we reject due
to attacks we noticed there as well[2].

> It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
>
> We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?

The Tor Project is not running the network. It's comprised of relays run
mostly by volunteers. I am actually not really sure either what you are
proposing to be honest. Shall we just keep the relays attacking our
users in the network instead?

Georg

[snip]

[1]
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-rejecting-bad-relays
[2]
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-fingerprints-found-in-attacks

>
> ---------- Original Message ----------
> On Wed, November 10, 2021 at 8:59 AM,  Georg Koppen<gk at torproject.org> wrote:
> Hello everyone!
>
> Some of you might have noticed that there is a visible drop of relays on
> our consensus-health website.[1] The reason for that is that we kicked
> roughly 600 non-exit relays out of the network yesterday. In fact, only
> a small fraction of them had the guard flag, so the vast majority were
> middle-only relays. We don't have any evidence that these relays were
> doing any attack, but there are attacks possible which relays could
> perform from the middle position. Therefore, we decided we'd remove
> those relays for our users' safety sake.
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20211110/e5c002d6/attachment-0001.htm>

More information about the tor-relays mailing list