[tor-talk] On verifying security of Tor Routers idea

Chris tmail299 at errtech.com
Wed Dec 21 22:29:35 UTC 2011

> On 12/21/11, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
> A lot more than I'm willing to critique.  My suggestions are
> Add a PHASE-0.5: Email out requests for permission to scan &
> permission to publish the scan results to all tor node contact
> addresses
> PHASE-1: b) Portscan all Tor Router>> that we have received permission
> to scan<<, save it via XML
> PHASE-2: f) Publish the Statistics result Summary>> for the nodes that
> we have received permission to publish stats<<
> PHASE-4: remove all nodes from the concensus that do not meet the new
> Tor security standards
>  Just drop the ethically-challenged hacker mindset & ask
> for permission to scan as well as permission to publish.

Not every ones ethics are the same as yours. That doesn't mean they are
ethically-challenged. That being said the proposal may work. The question
is what percentage of nodes have valid and up to date email addresses and
would respond?

Some of us have been running a Tor node for years. Not having a valid up
to date email does not mean these systems are insecure. Debian makes it
very easy to run and update a Tor node. It may not have a huge impact on
the network.

I think the best approach is to send off an email with the new proposal to
all node operators. See what the response is from the node operators. Let
node operators know if they do not explicitly opt out they may be included
by default in the scans if the percentage of nodes that respond is not
sufficient. What we want is a response from every node operator either way
though so we can judge.

More information about the tor-talk mailing list