AN idea of non-public exit-nodes

Paul Syverson syverson at itd.nrl.navy.mil
Wed Nov 25 18:08:11 UTC 2009


On Wed, Nov 25, 2009 at 12:21:39PM -0500, Gregory Maxwell wrote:
> On Tue, Nov 24, 2009 at 8:05 PM, Ted Smith <teddks at gmail.com> wrote:
> > On Tue, 2009-11-24 at 19:49 -0500, Roger Dingledine wrote:
> >> See especially point #1: "even if we didn't tell clients about the
> >> list of
> >> relays directly, somebody could still make a lot of connections
> >> through
> >> Tor to a test site and build a list of the addresses they see."
> >>
> >> I guess we could perhaps add support for configuring your own secret
> >> exit node that your buddy runs for you. But at that point the
> >> anonymity
> >> that Tor can provide in that situation gets pretty fuzzy.
> >
> > It's like a bridge, but for exits. They would probably have to be a lot
> > less friend-to-friend than bridges, but it might still be doable. I
> > think this is what the original poster meant, anyways.
> 
> So non-disclosed bridges work because the entrance node always knows who
> you are, so having to arrange something with someone doesn't disclose
> much more information. It doesn't disclose where you are going.
> 
> In the case of an exit the knows where you're going but not who you are.
> If you must arrange for access to the exit then the exit gets the opportunity
> to learn who you are.  Once the exit knows who you are than the whole purpose
> of tor is defeated.
> 
> I can imagine a couple of possible cryptographic methods which would make a
> private exit unusable until there is a sufficiently large clique of people
> who could use the exit... but everything I can think of would be highly
> vulnerable to attack by setting up additional conspiring nodes.
> 

Two words: Hidden service

Some more words: If you set up a hidden service to function as a Tor
exit, then your above concern about defeating the point of Tor goes
away. I haven't done any thorough analysis but it seems obvious that
there are lots of ways to attack this, such as quoted from Roger
above. As usual you would need to specify what your threat model is to
know if this is adequate for intended purposes.

-Paul
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list