Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake.
While we were already tracking some of the relays for a while, a big chunk of them was also independently reported by a cypherpunk and nusenu helped analyzing the data. Thanks to both of them from our side.
Foe what it is worth: a large part of those relays did not set any valid contact info and/or when we tried to contact some of the relays' operators the emails bounced. However, we sometimes need to have ways to reach relay operators, be it for debugging purposes or for helping them with relay misconfiguration. Thus, please set a valid contact info when running relays.
Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.
Georg
What community updates and organizations are there outside this mailing list?
I operate the small nullvoid family of relays and want to grow it in the near future but not miss out or misconfigure and cause problems for the rest of the team.
On November 9, 2021 8:09:40 PM UTC, Georg Koppen gk@torproject.org wrote:
Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.
Hi,
At the end of the year, we will have a Tor relay operator meetup during the rC3[1]. It's an online event. Leibi will share the invitation here, when the date and time are confirmed.
Please also join our matrix/IRC channel: #tor-relays:matrix.org (or #tor-relays - irc.oftc.net) And our new Tor Forum: https://forum.torproject.net/
Thanks for running relays!
Gus
[1] https://events.ccc.de/2021/11/08/rc3-2021-nowhere/
On Tue, Nov 09, 2021 at 10:06:28PM +0000, tor@nullvoid.me wrote:
What community updates and organizations are there outside this mailing list?
I operate the small nullvoid family of relays and want to grow it in the near future but not miss out or misconfigure and cause problems for the rest of the team.
On November 9, 2021 8:09:40 PM UTC, Georg Koppen gk@torproject.org wrote:
Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Where is this criteria documented?
It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
Jonas
---------- Original Message ---------- On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote: Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake.
Jonas via tor-relays:
Where is this criteria documented?
I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].
It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
The Tor Project is not running the network. It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?
Georg
[snip]
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-r... [2] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-finge...
---------- Original Message ---------- On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote: Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I'll throw in my 2 cents.
Limitations with current approach:
1. Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages. This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.
2. Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?
Some suggestions to consider:
1. Since the DAs and the relays already know each others' IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.
The messages can be something along the lines of "Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.".
2. As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I'm sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.
________________________________ From: Georg Koppen 'gk at torproject.org' z-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me Sent: Wednesday, November 10, 2021 6:40 PM To: z-relay@zestypucker.anonaddy.me z-relay@zestypucker.anonaddy.me Subject: Re: [tor-relays] Recent rejection of relays
Jonas via tor-relays:
Where is this criteria documented?
I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].
It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
The Tor Project is not running the network. It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?
Georg
[snip]
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-r... [2] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-finge...
---------- Original Message ---------- On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote: Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
On Wed, Nov 10, 2021 at 09:14:58PM +0000, z-relay--- via tor-relays wrote:
I'll throw in my 2 cents.
Limitations with current approach:
- Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages.
I'm running relays and spam is not an issue. It's a pain if you're running exit nodes, then you will get abuse notifications from your ISP.
And if spam is an issue for you, you could manage that using GitLab Service Desk feature, for example: https://docs.gitlab.com/ee/user/project/service_desk.html
This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.
Actually, that would be quite stupid from their part to do that... by email. Anyway, if that happens, contact us.
Anyway, my question is:
Why your ISP can contact you, but the Tor Community can't have an easy way to reach out to an operator?
- Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?
Some suggestions to consider:
- Since the DAs and the relays already know each others' IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.
The messages can be something along the lines of "Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.".
- As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I'm sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.
Thanks for your suggestion. But, in my experience, unrecommended relays are already listed on Metrics page and operators didn't act/notice until we got in touch and asked them to upgrade.
Gus
From: Georg Koppen 'gk at torproject.org' z-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me Sent: Wednesday, November 10, 2021 6:40 PM To: z-relay@zestypucker.anonaddy.me z-relay@zestypucker.anonaddy.me Subject: Re: [tor-relays] Recent rejection of relays
Jonas via tor-relays:
Where is this criteria documented?
I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].
It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
The Tor Project is not running the network. It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?
Georg
[snip]
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-r... [2] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-finge...
---------- Original Message ---------- On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote: Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Gus, I have to agree with z-relay on these points. I won't even provide an obfuscated contact email in my torrc to avoid spam. I could setup a dedicated email for Tor operation, but I'd likely find my relays down prior to checking it. Case in point... When registering a domain name, I've gotten to the point where I use a disposable phone number and email address, due to the amount of spam generated from such a transaction. Presently, I like how Tor notifies me of any issues with my configuration in the torlog and provides recommendations on how to remedy them. I believe you will find that asking for operators to provide contact address information for an anonymizing service will always be a struggle–it's the nature of the service and those that subscribe to it. BTW... My ISP does have my contact/billing information, but doesn't require it be publish publicly. Respectfully,
Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge) + 2 x Charmast 26800mAh Power Banks = iPhone XS Max 512GB (~2 Weeks Charged)
On Thursday, November 11, 2021, 5:59:45 AM PST, gus gus@torproject.org wrote:
Hi,
On Wed, Nov 10, 2021 at 09:14:58PM +0000, z-relay--- via tor-relays wrote:
I'll throw in my 2 cents.
Limitations with current approach:
- Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages.
I'm running relays and spam is not an issue. It's a pain if you're running exit nodes, then you will get abuse notifications from your ISP.
And if spam is an issue for you, you could manage that using GitLab Service Desk feature, for example: https://docs.gitlab.com/ee/user/project/service_desk.html
This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.
Actually, that would be quite stupid from their part to do that... by email. Anyway, if that happens, contact us.
Anyway, my question is:
Why your ISP can contact you, but the Tor Community can't have an easy way to reach out to an operator?
- Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?
Some suggestions to consider:
- Since the DAs and the relays already know each others' IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.
The messages can be something along the lines of "Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.".
- As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I'm sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.
Thanks for your suggestion. But, in my experience, unrecommended relays are already listed on Metrics page and operators didn't act/notice until we got in touch and asked them to upgrade.
Gus
From: Georg Koppen 'gk at torproject.org' z-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me Sent: Wednesday, November 10, 2021 6:40 PM To: z-relay@zestypucker.anonaddy.me z-relay@zestypucker.anonaddy.me Subject: Re: [tor-relays] Recent rejection of relays
Jonas via tor-relays:
Where is this criteria documented?
I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].
It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
The Tor Project is not running the network. It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?
Georg
[snip]
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-r... [2] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-finge...
---------- Original Message ---------- On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote: Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Thu, Nov 11, 2021 at 03:35:26PM +0000, Gary C. New via tor-relays wrote:
Gus, I have to agree with z-relay on these points. I won't even provide an obfuscated contact email in my torrc to avoid spam. I could setup a dedicated email for Tor operation, but I'd likely find my relays down prior to checking it. Case in point... When registering a domain name, I've gotten to the point where I use a disposable phone number and email address, due to the amount of spam generated from such a transaction. Presently, I like how Tor notifies me of any issues with my configuration in the torlog and provides recommendations on how to remedy them. I believe you will find that asking for operators to provide contact address information for an anonymizing service will always be a struggle–it's the nature of the service and those that subscribe to it. BTW... My ISP does have my contact/billing information, but doesn't require it be publish publicly. Respectfully,
What exactly is stopping you to use this email address as your relay contact_info? This is a *public* mailing list.
cheers, Gus
Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge)
- 2 x Charmast 26800mAh Power Banks
= iPhone XS Max 512GB (~2 Weeks Charged)
On Thursday, November 11, 2021, 5:59:45 AM PST, gus <gus@torproject.org> wrote:Hi,
On Wed, Nov 10, 2021 at 09:14:58PM +0000, z-relay--- via tor-relays wrote:
I'll throw in my 2 cents.
Limitations with current approach:
- Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages.
I'm running relays and spam is not an issue. It's a pain if you're running exit nodes, then you will get abuse notifications from your ISP.
And if spam is an issue for you, you could manage that using GitLab Service Desk feature, for example: https://docs.gitlab.com/ee/user/project/service_desk.html
This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.
Actually, that would be quite stupid from their part to do that... by email. Anyway, if that happens, contact us.
Anyway, my question is:
Why your ISP can contact you, but the Tor Community can't have an easy way to reach out to an operator?
- Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?
Some suggestions to consider:
- Since the DAs and the relays already know each others' IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.
The messages can be something along the lines of "Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.".
- As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I'm sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.
Thanks for your suggestion. But, in my experience, unrecommended relays are already listed on Metrics page and operators didn't act/notice until we got in touch and asked them to upgrade.
Gus
From: Georg Koppen 'gk at torproject.org' z-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me Sent: Wednesday, November 10, 2021 6:40 PM To: z-relay@zestypucker.anonaddy.me z-relay@zestypucker.anonaddy.me Subject: Re: [tor-relays] Recent rejection of relays
Jonas via tor-relays:
Where is this criteria documented?
I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].
It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
The Tor Project is not running the network. It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?
Georg
[snip]
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-r... [2] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-finge...
---------- Original Message ---------- On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote: Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- The Tor Project Community Team Lead _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 11 November 2021 17:17:40 GMT, gus gus@torproject.org wrote:
What exactly is stopping you to use this email address as your relay contact_info? This is a *public* mailing list.
cheers, Gus
+1 to the sentiment behind that query.
Personally I have no requirement for anonymity about the fact that I run Tor relays, so that may colour my views, and may influence what others think about my views. But I do sometimes despair about the angst some people display over not wanting an email address associated with one or more relays. In my experience of close to a decade or more of running relays, with a clear email address in my config file, I have not experienced any spam which I could attribute to that fact. Nor have I seen much in the way of spam to /this/ address, which as Gus has pointed out, is visible on a public mailing list.
Please just add a proper contact address to your relay(s). It will help the project, and will hardly hurt you at all.
Best
Mick
- Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages. This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.
Contact info isn’t limited to email. CIISS currently allows⁽¹⁾ even a Twitter account or an XMPP JID, and in required fields you may provide a home page URL instead of a plain email.
However, email addresses exposed that was see nearly no spam. While I see the issue and I am happy there are other options, in the current state of affairs I am less concerned about publishing the email address in my ContactInfo than revealing it in this particular message. Neither is very attractive to spammers, but the latter may trigger some people to spam me to just prove how wrong I am.
- Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?
You are assuming those are adversaries, who do that intentionally. Instead of nodes being misconfigured and their operators not reachable to resolve the issues.
For adversaries it is a noticeable cost. Deploying 500 nodes is cheap and automatic. Hiring people, to respond to email in a manner that doesn’t instantly reveal they are call center drones, is having neither of those properties. ____ ⁽¹⁾ https://nusenu.github.io/ContactInfo-Information-Sharing-Specification/
Georg Koppen:
Jonas via tor-relays:
Where is this criteria documented?
I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].
It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
The Tor Project is not running the network.
There is an additional point that is important here that I forgot (sorry for that and thanks to a little bird reminding me): yes, we working on hunting malicious relays tracked some of those relays for a while which I mentioned in my previous mail and we reached out to some of their operators. However, the relays did not got rejected by us at the end of the day, but rather by a majority of directory authorities.
Those authorities are a central part of our project, too, but I think it's important to point out that the "we" in my original mail was supposed to point to different groups within the Tor Project which might not have been clear enough.
Georg
It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?
Georg
[snip]
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-r...
[2] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-finge...
---------- Original Message ---------- On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote: Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Georg Koppen gk@torproject.org:
Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake.
While we were already tracking some of the relays for a while, a big chunk of them was also independently reported by a cypherpunk and nusenu helped analyzing the data. Thanks to both of them from our side.
Foe what it is worth: a large part of those relays did not set any valid contact info and/or when we tried to contact some of the relays' operators the emails bounced. However, we sometimes need to have ways to reach relay operators, be it for debugging purposes or for helping them with relay misconfiguration. Thus, please set a valid contact info when running relays.
Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.
Georg
When you don't have any evidence that these relays were doing something bad then what did they do to get rejected?
Tor Relays:
Georg Koppen gk@torproject.org:
Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake.
While we were already tracking some of the relays for a while, a big chunk of them was also independently reported by a cypherpunk and nusenu helped analyzing the data. Thanks to both of them from our side.
Foe what it is worth: a large part of those relays did not set any valid contact info and/or when we tried to contact some of the relays' operators the emails bounced. However, we sometimes need to have ways to reach relay operators, be it for debugging purposes or for helping them with relay misconfiguration. Thus, please set a valid contact info when running relays.
Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.
Georg
When you don't have any evidence that these relays were doing something bad then what did they do to get rejected?
I am afraid I can't give you any details. The best I can do to be able to keep up in the ongoing arms race is pointing you to our wiki page talking about the criteria for rejecting relays[1].
Georg
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-r...
Georg Koppen:
Hello everyone!
Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake.
While we were already tracking some of the relays for a while, a big chunk of them was also independently reported by a cypherpunk and nusenu helped analyzing the data. Thanks to both of them from our side.
Foe what it is worth: a large part of those relays did not set any valid contact info and/or when we tried to contact some of the relays' operators the emails bounced. However, we sometimes need to have ways to reach relay operators, be it for debugging purposes or for helping them with relay misconfiguration. Thus, please set a valid contact info when running relays.
Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.
For anyone wondering when a blog post will show up related to the rejections I wrote about above, it seems nusenu has written one:
https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-again...
Make sure to scroll down to the Appendix, though, if you want to see graphs which actually show this rejection. The very first one is confusing as it seems to imply the attacker is still on the network/the attack is ongoing. But that's not the case as far as we know.
An important thing to note as well is making sure *not* to actually use the proposed self-defense as-is. It's not mentioned in the blog post but at the repository linked to:
""" NOTE: This PoC is NOT fit for general use and not meant to be used by end-users! """
We have not finished our analysis for the relay group nusenu is talking about in the blog post, so not sure yet about the findings mentioned there. However, it's nice to see external parties being as vigilant as we in trying to make sure our users have a safe Tor experience. More of that please. :)
Georg
Could you please list me the massiv malicious actor networks that the Tor Project found out by itself in the last years?
On 1. Dec 2021, at 14:32, Georg Koppen gk@torproject.org wrote:
We have not finished our analysis for the relay group nusenu is talking about in the blog post, so not sure yet about the findings mentioned there. However, it's nice to see external parties being as vigilant as we in trying to make sure our users have a safe Tor experience. More of that please. :)
abuse department:
Could you please list me the massiv malicious actor networks that the Tor Project found out by itself in the last years?
I am not sure what your criteria for "massive" are but I can try to provide an answer as good as I can.
First, I don't have hard data for the "last years", partly because we did not spend time to collect that data and partly because we did not look closely enough ourselves. Both changed at the begin of this year as it turned out that relying to a large extent on external contributions in this area of our work is not a smart idea for a number of reasons.
Now, while I won't link to any "massiv malicious actor networks" I can link to all the fingerprints we rejected because we found the related relays doing attacks on the network:
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-finge...
As I said in another thread on this list[1] those fingerprints are collected on a monthly basis. While, in general, there is no guarantee that all of those fingerprints are found by Tor Project folks/employees (I don't think at this point it is worth spending time trying to differentiate between Tor Project-found/external contributors-found malicious actors) I took the time to look up the history of all of them as far as we have it.
Apart from 1 fingerprint mentioned in that wiki all of them got reported by our scanners or as a result of our own investigation. That's 680/681 and is not including the massive sybil attack in May, nusenu reported as well.[2] Maybe that's one of those massive malicious actor networks you have in mind? If so, yes, we caught it by ourselves.
I don't know what goal you had in mind with your question, but I hope the above helps a bit at least.
Georg
[1] https://lists.torproject.org/pipermail/tor-relays/2021-May/019647.html [2] https://lists.torproject.org/pipermail/tor-relays/2021-May/019644.html
On 1. Dec 2021, at 14:32, Georg Koppen gk@torproject.org wrote:
We have not finished our analysis for the relay group nusenu is talking about in the blog post, so not sure yet about the findings mentioned there. However, it's nice to see external parties being as vigilant as we in trying to make sure our users have a safe Tor experience. More of that please. :)
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
abuse department -
Gary C. New -
Georg Koppen -
gus -
Jonas -
Mick -
mpan -
Tor Relays -
tor@nullvoid.me -
z-relay@zestypucker.anonaddy.me