[tor-talk] Automatic vulnerability scanning of Tor Network?

grarpamp grarpamp at gmail.com
Wed Dec 21 03:20:27 UTC 2011

> For my own part, I am perfectly fine with the idea of working *with*
> server operators to help them secure their systems, and with making
> sure that only secure systems are on the network.  But efforts in this
> area need to work with the foreknowledge and consent of node
> operators, and not alienate our volunteer community.  Also, the
> appropriate response to horribly insecure servers on the network would
> be to inform the operators and de-list the servers if they didn't get
> fixed--not to publicly post them but leave them on the network.  That
> would be the worst of all worlds.

Formal scanning, best practices, contracts, etc are great and highly
suggested. However, many of us do precisely this in real life. We know
how hard it is, even in small numbers and with complete authority
and consent. Attempting to apply these practices to Tor, and expecting
the Tor Project to house it would be a laughable proposition.

A scanme flag in the relay descriptor could be interesting. But as before,
it's work, what does it mean, to who, and who would adhere to it.

More information about the tor-talk mailing list