Restricted Exit Policy Port Suggestions?

Gregory Maxwell gmaxwell at
Wed Aug 11 23:10:05 UTC 2010

On Wed, Aug 11, 2010 at 11:52 AM, Mike Perry <mikeperry at> wrote:
> Sometimes, you just need to pick your battles. If you believe the DMCA
> is bullshit and want a full exit policy, I think the practical answer
> is "Go outside the US for bandwidth". Or, be prepared to provider-hop
> for a good, long time.

This is, however, bad for the diversity of the Tor network. Ideally
there would be exists as widely spread as possible in order to
minimize the return on investment for attackers.

It seems to me that there exists an opportunity to collaboratively
build a list of destinations which are "safe"— in that the probability
of an ISP complaint or an unfriendly law enforcement visit is
effectively insignificant.

Safe destinations might include things like some network services
(DNS, esp if tor moves to the TCP dns stuff which has been discussed
lately), human rights organizations, other anonymity services,
read-only web resources, services which already have special handling
for tor (e.g. Wikipedia, which is effectively read-only for Tor exits,
IRC networks which identify and specially handle Tor), and services
which are known not to keep logs.

While these destinations would only amount to only a tiny fraction of
the Internet they could amount to a reasonable portion of the overall
exit usage thus freeing up the rest of the exit capacity for
everything that can't use these limited exits and providing increased
performance and diversity for things that can.

This is something that would require some technical infrastructure.
Currently nodes don't get an exit flag unless they are fairly broadly
open... and thousands of nodes each running a different idea of the
safe destinations would create a computational burden on circuit
creation as well as significant directory bloat. Setting the exit flag
on nodes with very narrow exit policies would also facilitate the
creation of targeted exit spying nodes.

To avoid these problems a single template exit list could be
distributed with the directories then included in node exit lists.

I don't have any great answer on how to create and manage such a list—
a small one is fairly easy to manage but I don't expect a large one to

But I think the bigger question is: would the existence of this option
discourage the creation of full exits to such an extent that it would
hurt the tor network overall?   At least in the US and soon, with the
ACTA, perhaps most of the developed world I think the answer is no.
The difficulty in establishing network connectivity which won't be
immediately shutdown due to overzealous notice-and-takedown
conformance is already so great that anyone running a full exit
instead of a relay is obviously putting out a special effort to do so.
The existence of an easy limited-exit option shouldn't change the
incentives much.

There are other things which could be done to increase the usefulness
of the tor network in the face of an increasingly difficult exit
climate, for example improving the exit enclave functionality would be
helpful (putting services which do not need anonymity themselves
behind hidden services is far from optimal both due to performance and
name discovery issues), but I don't think this would provide as great
or as immediate a benefit as simply increasing the real exit capacity
to selected destinations.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list