On Donnerstag, 20. Juni 2024 02:00:18 CEST tor@nullvoid.me wrote:
I do not think that asking to remove the complete non-exit list to be valuable to the security of the global internet.
However, this non-exit list should not be activated automatically or with one- click. There is no reason to block non-exit relays.
While it is correct that sysadmins should maybe not block traffic just because it's a relay. There is many use cases where they should, most corporation end users do not need access to the Tor network daily, and many ransomware or other malware c2 servers leverage .onion services. By blocking Tor across the network it's a simple way to disarm the malware or prevent data loss to nefarious actors.
Ransomware links are usually opened from emails and Tor is not running on company computers. Users cannot install anything either. How are they supposed to reach the hidden services?
Users can bypass this blocklist with bridges from their private devices. There are private things that are none of the sysadmins' business and for this some users use Tor or VPN.
Secondly, running multiple services from your Tor relay is generally considered bad advice if I understand correctly. Especially critical infrastructure such as mirrors of popular packages. Tor relays should be dedicated hosts with minimal attack surface, we know they are attacked, monitored, and generally attract extra attention. Due to this other services you host on the same server are now at risk of extra surveillance or malicious attacks.
You are right that a dedicated IP for a Tor relay would be better. On the other hand, we want more relays at universities.
Many users cannot reach the mirror Halifax = ftp2.de.debian.org
We should perhaps consider at the relay meeting on Saturday whether several relay operators or the Tor Project could write to dan.me.uk. He shouldn't make it so easy to activate the non-exit list. For example, UniFi devices are often installed by inexperienced admins. They simply click on all the block lists without knowing what they are.