German data rentention law

Scott Bennett bennett at cs.niu.edu
Sun Oct 19 06:44:15 UTC 2008 

     On Sat, 18 Oct 2008 19:30:53 -0400 7v5w7go9ub0o <7v5w7go9ub0o at gmail.com>
wrote:
>Roger Dingledine wrote:
>> On Sat, Oct 18, 2008 at 06:43:34PM -0400, 7v5w7go9ub0o wrote:
>>> Roger Dingledine wrote:
>>>
>>>
>>> <snip>
>>>
>>>>> Otherwise, all german nodes have to switch to middle man.
>>> <snip>
>> 
>> To be clear, I didn't write the above line.
>> 
>>> 1. Given that the ISP will have logs anyway, why disallow German exit 
>>> nodes?
>> 
>> A fine question. Hopefully as we learn more about what ISPs will log,
>> we will come to decide that having Tor exit relays in Germany doesn't
>> pose much risk -- as long as we take appropriate other steps to make
>> sure the other end of the circuit isn't logged by German ISPs too.
>> 
>>> 2. How about changing all TOR port useage - including relays and entry
>>> ports - to 443?
>>>
>>> 'Twould be hard to know which are entry nodes, which are relays, and 
>>> which is browser traffic. That ought to make "mapping" the onion, and 
>>> ISP log analysis a little more challenging :-) .
>> 
>> It isn't just a matter of what port they listen on. So long as there's
>> a public list of Tor relays, then people can just compare IP addresses
>> they see to the public relay list. And that public relay list isn't
>> going away anytime soon, since Tor clients need it when picking a path.
>
>Am presuming that some on that list are "multi-function" servers!?
>
>Guess I'm thinking along the line of a PC that has a TOR relay and 
>bridge (both) that's being logged by its ISP.
>
>If all inbound and outbound TOR circuits were port 443, all the ISP 
>would log is a bewildering collection of inbound, SSL-encrypted 
>connections to 443, and  outbound, SSL-encrypted connections to 443 - 
>hard to know if any given inbound is an entry-connection, or 
>relay-connection.
>
>Likewise, outbound connections to 443 somewhere else might be TOR, or it 
>might be the operator browsing his bank account.
>
>If nothing else, defaulting to 443 would allow a greater number of 
>"hotspot" laptops access to TOR from HTTP/S-only networks.
>
     Doing that, however, *would* make it rather difficult for the same
machine--or another machine sharing the same IP address for a NAT'ed LAN
gateway--to run a web server supporting HTTPS connections.  That alone
should be sufficient reason not to change the default ORPort to 443.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-talk mailing list