[tor-talk] Automatic vulnerability scanning of Tor Network?
mlists at robin-kipp.net
Tue Dec 20 19:14:08 UTC 2011
you know, I'm definitely not someone deeply involved in the Tor project, its development, maintenance and all that. However, from my experience, I've always thought that everyone donating a relay or exit node to the network is seen as "potentially helpful" and not as a "potential security risk". In essence, the idea you just proposed would completely turn this around. No, I honestly don't want some outside individual to audit my security. If I want my security to be audited, I'm gonna do that all by myself - both from outside and from inside of my network. Also, one thing that makes Tor so great is its decentralized infrastructure. Sure, there are some databases that contain the IPs of at least all exit nodes, but there's no central way of shutting them down. So, what you want to do is to gather info on security vulnerabilities for all Tor nodes, and then store them in some kind of CENTRAL database, which would have to be inaccessible to the public (thus taking away any kind of transparency). Now, imagine that central database gets hacked and the sec assessments become accessible to a party with a hostile view on the Tor network. That party could then go ahead and launch targeted attacks on all kinds of security holes found in all nodes, thus making it easy to take out probably a large fraction of the Tor network.
Look, go ahead, take that idea and throw it in the trash. Even better, flush it down the toilet - because, to be honest, I think that even if you recycle that stuff, nothing good is ever gonna come out.
More information about the tor-talk