On Tue, Aug 27, 2013 at 11:08:34AM -0500, Jon Gardner wrote:
Then why have exit policies? Exit nodes regularly block "unwelcome" traffic like bittorrent, and there's only a slight functional difference between that and using a filter in front of the node to block things like porn
The exit policy is a public statement to the Tor network by the exit node about what traffic it is willing to transport. Users who wish to use a particular TCP port can consult the consensus and find an exit node which meets their needs.
By contrast, a porn blacklist would presumably prevent particular HTTP requests from being satisfied, based on analysis of the contents of the requests. In other words, the pornfiltering-exit-node offered to transport port 80, but then reneged on the offer when it looked inside the box and didn't like what it found.
If only there were a separate TCP port for HTTP-with-Porn and all the pornographers used it, then an exit policy for "HTTP-without-porn" would be possible. But alas, we don't even have vague agreement on what constitutes porn, much less a social contract requiring all pornographers to segregate their traffic for our convenience.
RFC6969, Pornographic HTTP. #ideasforapril1
Consider http://www.ietf.org/rfc/rfc3514.txt --
Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.
-andy