[tor-relays] Tor non-exit list

Thu Jun 20 11:32:31 UTC 2024

On Donnerstag, 20. Juni 2024 02:00:18 CEST tor at nullvoid.me wrote:

> I do not think that asking to remove the complete non-exit list to be 
> valuable to the security of the global internet.

However, this non-exit list should not be activated automatically or with one-
click. There is no reason to block non-exit relays.

> While it is correct that sysadmins should maybe not block traffic just 
> because it's a relay. There is many use cases where they should, most 
> corporation end users do not need access to the Tor network daily, and 
> many ransomware or other malware c2 servers leverage .onion services. By 
> blocking Tor across the network it's a simple way to disarm the malware 
> or prevent data loss to nefarious actors.

Ransomware links are usually opened from emails and Tor is not running on 
company computers. Users cannot install anything either. How are they supposed 
to reach the hidden services?

Users can bypass this blocklist with bridges from their private devices. There 
are private things that are none of the sysadmins' business and for this some 
users use Tor or VPN.

> Secondly, running multiple services from your Tor relay is generally 
> considered bad advice if I understand correctly. Especially critical 
> infrastructure such as mirrors of popular packages. Tor relays should be 
> dedicated hosts with minimal attack surface, we know they are attacked, 
> monitored, and generally attract extra attention. Due to this other 
> services you host on the same server are now at risk of extra 
> surveillance or malicious attacks.

You are right that a dedicated IP for a Tor relay would be better.
On the other hand, we want more relays at universities.

Many users cannot reach the mirror Halifax = ftp2.de.debian.org

We should perhaps consider at the relay meeting on Saturday whether several 
relay operators or the Tor Project could write to dan.me.uk. He shouldn't make 
it so easy to activate the non-exit list. For example, UniFi devices are often 
installed by inexperienced admins. They simply click on all the block lists 
without knowing what they are.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 3872 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240620/85bc94f9/attachment-0001.sig>