On Wed, Jan 06, 2016 at 10:21:31PM +1100, Tim Wilson-Brown - teor wrote:
On 6 Jan 2016, at 21:26, Virgil Griffith i@virgil.gr wrote:
Tom, to ensure I understand you clearly, is your argument that relays that export only unencrypted shouldn't get the Exit Flag because insecure/unecrypted traffic "isn't what Tor is intended for?" I want to be sure that I'm fully understanding your proposal.
If adversaries can set up Exit relays that only permit insecure/unecrypted traffic, then they can inspect/interfere with all the traffic going through that Exit. As can any adversary that is on the upstream path from that Exit.
If we ensure that Exits must pass some encrypted traffic, then running an Exit is less attractive to an adversary. And even adversaries contribute useful, secure bandwidth to the Tor Network.
Modulo them not simply setting up an acceptable policy but then just dropping all (much) actual traffic for the ports they didn't really want. (And correct attribution and sanctioning for non/incomplete performing are hard.) As always, if the adversarial goal is monitoring, it is typically just easier (and not too expensive) to genuinely provide the service that gets you the flags, but yes this could still be an improvement vs. status quo.
aloha, Paul
So this policy is intended to protect users, and encourage non-adversarial contributions to network bandwidth. (Given the small number of Exits flags affected by this change, I'm not sure if this policy is responsible for all the good Exits, or if our exit-checking tools are responsible.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev