[tor-talk] Why make bad-relays a closed mailing list?

Philipp Winter phw at nymity.ch
Thu Jul 31 20:12:33 UTC 2014 

On Thu, Jul 31, 2014 at 07:21:59PM +0000, Nusenu wrote:
> > I think we need to distinguish between the report and the
> > discussion. Ultimately, a report that is acted upon *cannot* remain
> > secret.  As soon as a relay gets the BadExit flag, the operator can
> > figure out that they got caught.  As a result, I believe that the
> > mere fact that a relay was blocked (via BadExit or reject) can be
> > published.  There is an ongoing discussion if we should do that.
> > 
> > The discussion of observed malicious behaviour, however, can give
> > the attacker a lot of knowledge which they can exploit in order to
> > evade detection in the future.  Consider, for example, an HTTPS
> > MitM attack which targets a small number of web sites.  If somebody
> > reports only one of these targets, the attacker can spawn a new
> > relay after discovery and simply reduce the set of targeted sites
> > in order to remain under the radar.  This seems to be an uphill
> > battle and it's difficult to have full transparency without giving
> > dedicated adversaries a big advantage.
>
> You might find the proven approach used in other areas (security bugs)
> a viable option:
>
> Keep the discussion private until a decission has been reached, make
> it (the discussion) public once the report has been closed (whether
> with or without a flag or reject entry).
>
> This allows for transparency while at the same time shouldn't
> interfere with ongoing investigations.

Yes, it is generally not a problem to publish a security bug which has
already been fixed.  In fact, it is encouraged because it spreads
knowledge and awareness.

Our situation is a slightly different one, though.  By publishing the
discussion about a relay (even if it has already been disabled), we are
harming future endeavours: As long as we keep using the same method to
check malicious relays, revealing this very method would "spoil it"
until we switch to a different one.  That's not quite the case with
security bugs.  If we had plenty of resources, scanning modules, and
methods, the story would be different but unfortunately that's not the
case.

One good example is documented in a recent research paper [0].  Section
5.2 describes how we chased a group of related malicious exit relays
over several months.  At some point the attackers began to sample MitM
attempts and target web sites.  Publishing our actions would probably
have helped the attackers substantially.

I think in addition to publishing *which* relays were disabled, it would
also be safe to publish *why* they were disabled.  We could add a short
sentence along the lines of "running HTTPS MitM" or "running sslstrip".
Damian mentioned that in the other thread.

[0] https://petsymposium.org/2014/papers/Winter.pdf

Cheers,
Philipp

More information about the tor-talk mailing list