[tor-relays] Recent rejection of relays

Hello everyone!

Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake.

While we were already tracking some of the relays for a while, a big chunk of them was also independently reported by a cypherpunk and nusenu helped analyzing the data. Thanks to both of them from our side.

Foe what it is worth: a large part of those relays did not set any valid contact info and/or when we tried to contact some of the relays' operators the emails bounced. However, we sometimes need to have ways to reach relay operators, be it for debugging purposes or for helping them with relay misconfiguration. Thus, please set a valid contact info when running relays.

Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.

Georg

[1] Consensus health

What community updates and organizations are there outside this mailing list?

I operate the small nullvoid family of relays and want to grow it in the near future but not miss out or misconfigure and cause problems for the rest of the team.

···

On November 9, 2021 8:09:40 PM UTC, Georg Koppen <gk@torproject.org> wrote:

Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Hi,

At the end of the year, we will have a Tor relay operator meetup during the rC3[1].
It's an online event. Leibi will share the invitation here, when the
date and time are confirmed.

Please also join our matrix/IRC channel:
#tor-relays:matrix.org (or #tor-relays - irc.oftc.net)
And our new Tor Forum: https://forum.torproject.net/

Thanks for running relays!

Gus

[1] rC3 2021 NOWHERE - CCC Event Blog

···

On Tue, Nov 09, 2021 at 10:06:28PM +0000, tor@nullvoid.me wrote:

What community updates and organizations are there outside this mailing list?

I operate the small nullvoid family of relays and want to grow it in the near future but not miss out or misconfigure and cause problems for the rest of the team.

On November 9, 2021 8:09:40 PM UTC, Georg Koppen <gk@torproject.org> wrote:
>
>Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.
>
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

--
The Tor Project
Community Team Lead

Where is this criteria documented?

It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.

We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?

Jonas

···

---------- Original Message ----------
On Wed, November 10, 2021 at 8:59 AM, Georg Koppen<gk@torproject.org> wrote:
Hello everyone!

Some of you might have noticed that there is a visible drop of relays on
our consensus-health website.[1] The reason for that is that we kicked
roughly 600 non-exit relays out of the network yesterday. In fact, only
a small fraction of them had the guard flag, so the vast majority were
middle-only relays. We don't have any evidence that these relays were
doing any attack, but there are attacks possible which relays could
perform from the middle position. Therefore, we decided we'd remove
those relays for our users' safety sake.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Jonas via tor-relays:

Where is this criteria documented?

I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].

It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.

We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?

The Tor Project is not running the network. It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?

Georg

[snip]

[1] Criteria for rejecting bad relays · Wiki · The Tor Project / Network Health / Team · GitLab
[2] Rejected fingerprints found in attacks · Wiki · The Tor Project / Network Health / Team · GitLab

···

---------- Original Message ----------
On Wed, November 10, 2021 at 8:59 AM, Georg Koppen<gk@torproject.org> wrote:
Hello everyone!

Some of you might have noticed that there is a visible drop of relays on
our consensus-health website.[1] The reason for that is that we kicked
roughly 600 non-exit relays out of the network yesterday. In fact, only
a small fraction of them had the guard flag, so the vast majority were
middle-only relays. We don't have any evidence that these relays were
doing any attack, but there are attacks possible which relays could
perform from the middle position. Therefore, we decided we'd remove
those relays for our users' safety sake.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

Georg Koppen:

Jonas via tor-relays:

Where is this criteria documented?

I am not sure what criteria you mean but we have our bad-relay criteria[1] documented at our wiki and keep fingerprints we reject due to attacks we noticed there as well[2].

It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.

We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?

The Tor Project is not running the network.

There is an additional point that is important here that I forgot (sorry for that and thanks to a little bird reminding me): yes, we working on hunting malicious relays tracked some of those relays for a while which I mentioned in my previous mail and we reached out to some of their operators. However, the relays did not got rejected by us at the end of the day, but rather by a majority of directory authorities.

Those authorities are a central part of our project, too, but I think it's important to point out that the "we" in my original mail was supposed to point to different groups within the Tor Project which might not have been clear enough.

Georg

···

It's comprised of relays run mostly by volunteers. I am actually not really sure either what you are proposing to be honest. Shall we just keep the relays attacking our users in the network instead?

Georg

[snip]

[1] Criteria for rejecting bad relays · Wiki · The Tor Project / Network Health / Team · GitLab

[2] Rejected fingerprints found in attacks · Wiki · The Tor Project / Network Health / Team · GitLab

---------- Original Message ----------
On Wed, November 10, 2021 at 8:59 AM, Georg Koppen<gk@torproject.org> >> wrote:
Hello everyone!

Some of you might have noticed that there is a visible drop of relays on
our consensus-health website.[1] The reason for that is that we kicked
roughly 600 non-exit relays out of the network yesterday. In fact, only
a small fraction of them had the guard flag, so the vast majority were
middle-only relays. We don't have any evidence that these relays were
doing any attack, but there are attacks possible which relays could
perform from the middle position. Therefore, we decided we'd remove
those relays for our users' safety sake.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

I’ll throw in my 2 cents.

Limitations with current approach:

  1. Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages. This also opens up a convenient channel for “adversaries” to harass or even coerce the relay operators.

  2. Middle relays can be used for attacking and the only defense being “list your email addresses or else we’ll kick you out” throws a sizable wretch into the credibility and technical soundness of the whole project. If the “adversaries” are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?

Some suggestions to consider:

  1. Since the DAs and the relays already know each others’ IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.

The messages can be something along the lines of “Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.”.

  1. As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I’m sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.
···

From: Georg Koppen ‘gk at torproject.orgz-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me
Sent: Wednesday, November 10, 2021 6:40 PM
To: z-relay@zestypucker.anonaddy.me z-relay@zestypucker.anonaddy.me
Subject: Re: [tor-relays] Recent rejection of relays

Jonas via tor-relays:

Where is this criteria documented?

I am not sure what criteria you mean but we have our bad-relay
criteria[1] documented at our wiki and keep fingerprints we reject due
to attacks we noticed there as well[2].

It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an “online service provider” or “online platform” and subjects one to all sorts of regulations and compliance regimes.

We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?

The Tor Project is not running the network. It’s comprised of relays run
mostly by volunteers. I am actually not really sure either what you are
proposing to be honest. Shall we just keep the relays attacking our
users in the network instead?

Georg

[snip]

[1]
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-rejecting-bad-relays
[2]
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-fingerprints-found-in-attacks

---------- Original Message ----------
On Wed, November 10, 2021 at 8:59 AM, Georg Koppengk@torproject.org wrote:
Hello everyone!

Some of you might have noticed that there is a visible drop of relays on
our consensus-health website.[1] The reason for that is that we kicked
roughly 600 non-exit relays out of the network yesterday. In fact, only
a small fraction of them had the guard flag, so the vast majority were
middle-only relays. We don’t have any evidence that these relays were
doing any attack, but there are attacks possible which relays could
perform from the middle position. Therefore, we decided we’d remove
those relays for our users’ safety sake.


tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

Georg Koppen <gk@torproject.org>:

Hello everyone!

Some of you might have noticed that there is a visible drop of relays on
our consensus-health website.[1] The reason for that is that we kicked
roughly 600 non-exit relays out of the network yesterday. In fact, only
a small fraction of them had the guard flag, so the vast majority were
middle-only relays. We don’t have any evidence that these relays were
doing any attack, but there are attacks possible which relays could
perform from the middle position. Therefore, we decided we’d remove
those relays for our users’ safety sake.

While we were already tracking some of the relays for a while, a big
chunk of them was also independently reported by a cypherpunk and nusenu
helped analyzing the data. Thanks to both of them from our side.

Foe what it is worth: a large part of those relays did not set any valid
contact info and/or when we tried to contact some of the relays’
operators the emails bounced. However, we sometimes need to have ways to
reach relay operators, be it for debugging purposes or for helping them
with relay misconfiguration. Thus, please set a valid contact info when
running relays.

Finally, anyone running relays: try to get connected to the community so
we can build some trust among each other. That seems to be an essential
part in our long-term strategy to fight bad relays trying to enter our
network.

Georg

When you don’t have any evidence that these relays were doing something bad then what did they do to get rejected?

Tor Relays:

Georg Koppen <gk@torproject.org>:

Hello everyone!

Some of you might have noticed that there is a visible drop of relays on
our consensus-health website.[1] The reason for that is that we kicked
roughly 600 non-exit relays out of the network yesterday. In fact, only
a small fraction of them had the guard flag, so the vast majority were
middle-only relays. We don't have any evidence that these relays were
doing any attack, but there are attacks possible which relays could
perform from the middle position. Therefore, we decided we'd remove
those relays for our users' safety sake.

While we were already tracking some of the relays for a while, a big
chunk of them was also independently reported by a cypherpunk and nusenu
helped analyzing the data. Thanks to both of them from our side.

Foe what it is worth: a large part of those relays did not set any valid
contact info and/or when we tried to contact some of the relays'
operators the emails bounced. However, we sometimes need to have ways to
reach relay operators, be it for debugging purposes or for helping them
with relay misconfiguration. Thus, please set a valid contact info when
running relays.

Finally, anyone running relays: try to get connected to the community so
we can build some trust among each other. That seems to be an essential
part in our long-term strategy to fight bad relays trying to enter our
network.

Georg

When you don't have any evidence that these relays were doing something bad
then what did they do to get rejected?

I am afraid I can't give you any details. The best I can do to be able to keep up in the ongoing arms race is pointing you to our wiki page talking about the criteria for rejecting relays[1].

Georg

[1] Criteria for rejecting bad relays · Wiki · The Tor Project / Network Health / Team · GitLab

Hi,

I'll throw in my 2 cents.

Limitations with current approach:

1. Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages.

I'm running relays and spam is not an issue. It's a pain if you're
running exit nodes, then you will get abuse notifications from your ISP.

And if spam is an issue for you, you could manage that using GitLab
Service Desk feature, for example:

This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.

Actually, that would be quite stupid from their part to do that... by
email. Anyway, if that happens, contact us.

Anyway, my question is:

Why your ISP can contact you, but the Tor Community can't have
an easy way to reach out to an operator?

2. Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?

Some suggestions to consider:

1. Since the DAs and the relays already know each others' IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.

The messages can be something along the lines of "Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.".

2. As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I'm sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.

Thanks for your suggestion. But, in my experience, unrecommended relays
are already listed on Metrics page and operators didn't act/notice until
we got in touch and asked them to upgrade.

Gus

···

On Wed, Nov 10, 2021 at 09:14:58PM +0000, z-relay--- via tor-relays wrote:

________________________________
From: Georg Koppen 'gk at torproject.org' <z-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me>
Sent: Wednesday, November 10, 2021 6:40 PM
To: z-relay@zestypucker.anonaddy.me <z-relay@zestypucker.anonaddy.me>
Subject: Re: [tor-relays] Recent rejection of relays

Jonas via tor-relays:
> Where is this criteria documented?

I am not sure what criteria you mean but we have our bad-relay
criteria[1] documented at our wiki and keep fingerprints we reject due
to attacks we noticed there as well[2].

> It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
>
> We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?

The Tor Project is not running the network. It's comprised of relays run
mostly by volunteers. I am actually not really sure either what you are
proposing to be honest. Shall we just keep the relays attacking our
users in the network instead?

Georg

[snip]

[1]
Criteria for rejecting bad relays · Wiki · The Tor Project / Network Health / Team · GitLab
[2]
Rejected fingerprints found in attacks · Wiki · The Tor Project / Network Health / Team · GitLab

>
> ---------- Original Message ----------
> On Wed, November 10, 2021 at 8:59 AM, Georg Koppen<gk@torproject.org> wrote:
> Hello everyone!
>
> Some of you might have noticed that there is a visible drop of relays on
> our consensus-health website.[1] The reason for that is that we kicked
> roughly 600 non-exit relays out of the network yesterday. In fact, only
> a small fraction of them had the guard flag, so the vast majority were
> middle-only relays. We don't have any evidence that these relays were
> doing any attack, but there are attacks possible which relays could
> perform from the middle position. Therefore, we decided we'd remove
> those relays for our users' safety sake.
> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> tor-relays Info Page
>

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

--
The Tor Project
Community Team Lead

1. Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages. This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.

   Contact info isn’t limited to email. CIISS currently allows⁽¹⁾ even a Twitter account or an XMPP JID, and in required fields you may provide a home page URL instead of a plain email.

   However, email addresses exposed that was see nearly no spam. While I see the issue and I am happy there are other options, in the current state of affairs I am less concerned about publishing the email address in my ContactInfo than revealing it in this particular message. Neither is very attractive to spammers, but the latter may trigger some people to spam me to just prove how wrong I am.

2. Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?

   You are assuming those are adversaries, who do that intentionally. Instead of nodes being misconfigured and their operators not reachable to resolve the issues.

   For adversaries it is a noticeable cost. Deploying 500 nodes is cheap and automatic. Hiring people, to respond to email in a manner that doesn’t instantly reveal they are call center drones, is having neither of those properties.

···

____
⁽¹⁾ ContactInfo-Information-Sharing-Specification | A specification for tor’s ContactInfo field.

Gus,

I have to agree with z-relay on these points.

I won’t even provide an obfuscated contact email in my torrc to avoid spam. I could setup a dedicated email for Tor operation, but I’d likely find my relays down prior to checking it.

Case in point… When registering a domain name, I’ve gotten to the point where I use a disposable phone number and email address, due to the amount of spam generated from such a transaction.

Presently, I like how Tor notifies me of any issues with my configuration in the torlog and provides recommendations on how to remedy them.

I believe you will find that asking for operators to provide contact address information for an anonymizing service will always be a struggle–it’s the nature of the service and those that subscribe to it.

BTW… My ISP does have my contact/billing information, but doesn’t require it be publish publicly.

Respectfully,

Gary

···


This Message Originated by the Sun.
iBigBlue 63W Solar Array (~12 Hour Charge)

  • 2 x Charmast 26800mAh Power Banks
    = iPhone XS Max 512GB (~2 Weeks Charged)

On Thursday, November 11, 2021, 5:59:45 AM PST, gus gus@torproject.org wrote:

Hi,

On Wed, Nov 10, 2021 at 09:14:58PM +0000, z-relay— via tor-relays wrote:

I’ll throw in my 2 cents.

Limitations with current approach:

  1. Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages.

I’m running relays and spam is not an issue. It’s a pain if you’re
running exit nodes, then you will get abuse notifications from your ISP.

And if spam is an issue for you, you could manage that using GitLab
Service Desk feature, for example:
https://docs.gitlab.com/ee/user/project/service_desk.html

This also opens up a convenient channel for “adversaries” to harass or even coerce the relay operators.

Actually, that would be quite stupid from their part to do that… by
email. Anyway, if that happens, contact us.

Anyway, my question is:

Why your ISP can contact you, but the Tor Community can’t have
an easy way to reach out to an operator?

  1. Middle relays can be used for attacking and the only defense being “list your email addresses or else we’ll kick you out” throws a sizable wretch into the credibility and technical soundness of the whole project. If the “adversaries” are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?

Some suggestions to consider:

  1. Since the DAs and the relays already know each others’ IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.

The messages can be something along the lines of “Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.”.

  1. As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I’m sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.

Thanks for your suggestion. But, in my experience, unrecommended relays
are already listed on Metrics page and operators didn’t act/notice until
we got in touch and asked them to upgrade.

Gus


From: Georg Koppen ‘gk at torproject.org’ <z-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me>
Sent: Wednesday, November 10, 2021 6:40 PM
To: z-relay@zestypucker.anonaddy.me <z-relay@zestypucker.anonaddy.me>
Subject: Re: [tor-relays] Recent rejection of relays

Jonas via tor-relays:

Where is this criteria documented?

I am not sure what criteria you mean but we have our bad-relay
criteria[1] documented at our wiki and keep fingerprints we reject due
to attacks we noticed there as well[2].

It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an “online service provider” or “online platform” and subjects one to all sorts of regulations and compliance regimes.

We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?

The Tor Project is not running the network. It’s comprised of relays run
mostly by volunteers. I am actually not really sure either what you are
proposing to be honest. Shall we just keep the relays attacking our
users in the network instead?

Georg

[snip]

[1]
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-rejecting-bad-relays
[2]
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-fingerprints-found-in-attacks

---------- Original Message ----------
On Wed, November 10, 2021 at 8:59 AM, Georg Koppen<gk@torproject.org> wrote:
Hello everyone!

Some of you might have noticed that there is a visible drop of relays on
our consensus-health website.[1] The reason for that is that we kicked
roughly 600 non-exit relays out of the network yesterday. In fact, only
a small fraction of them had the guard flag, so the vast majority were
middle-only relays. We don’t have any evidence that these relays were
doing any attack, but there are attacks possible which relays could
perform from the middle position. Therefore, we decided we’d remove
those relays for our users’ safety sake.


tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


The Tor Project

Community Team Lead


tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Gus,
I have to agree with z-relay on these points.
I won't even provide an obfuscated contact email in my torrc to avoid spam. I could setup a dedicated email for Tor operation, but I'd likely find my relays down prior to checking it.
Case in point... When registering a domain name, I've gotten to the point where I use a disposable phone number and email address, due to the amount of spam generated from such a transaction.
Presently, I like how Tor notifies me of any issues with my configuration in the torlog and provides recommendations on how to remedy them.
I believe you will find that asking for operators to provide contact address information for an anonymizing service will always be a struggle–it's the nature of the service and those that subscribe to it.
BTW... My ISP does have my contact/billing information, but doesn't require it be publish publicly.
Respectfully,

What exactly is stopping you to use this email address as your relay contact_info?
This is a *public* mailing list.

cheers,
Gus

···

On Thu, Nov 11, 2021 at 03:35:26PM +0000, Gary C. New via tor-relays wrote:

Gary—
This Message Originated by the Sun.
iBigBlue 63W Solar Array (~12 Hour Charge)
+ 2 x Charmast 26800mAh Power Banks
= iPhone XS Max 512GB (~2 Weeks Charged)

    On Thursday, November 11, 2021, 5:59:45 AM PST, gus <gus@torproject.org> wrote:

Hi,

On Wed, Nov 10, 2021 at 09:14:58PM +0000, z-relay--- via tor-relays wrote:
> I'll throw in my 2 cents.
>
> Limitations with current approach:
>
> 1. Asking all relay operators to list their email addresses in the public relay list is largely equivalent to asking them to invite tens of thousands of spam emails into their inboxes and having to either ignore most of them or set up aggressive filtering rules which can easily bounce legitimate messages.

I'm running relays and spam is not an issue. It's a pain if you're
running exit nodes, then you will get abuse notifications from your ISP.

And if spam is an issue for you, you could manage that using GitLab
Service Desk feature, for example:
Service Desk | GitLab

>This also opens up a convenient channel for "adversaries" to harass or even coerce the relay operators.

Actually, that would be quite stupid from their part to do that... by
email. Anyway, if that happens, contact us.

Anyway, my question is:

Why your ISP can contact you, but the Tor Community can't have
an easy way to reach out to an operator?

> 2. Middle relays can be used for attacking and the only defense being "list your email addresses or else we'll kick you out" throws a sizable wretch into the credibility and technical soundness of the whole project. If the "adversaries" are capable of de-anonymize tor users by simply running a middle relay that by design knows neither the real sources nor the real destinations of the traffic through it, I wonder how hard would it be for them to set up an email address?
>
> Some suggestions to consider:
>
> 1. Since the DAs and the relays already know each others' IP addresses and public ID keys. Perhaps tor can add a feature where the DAs can send authenticated and encrypted short messages to the relays, which can then verify the messages and log them in syslog or log files as configured in torrc.
>
> The messages can be something along the lines of "Your relay is misconfigured in ABC ways, please do XYZ to fix it. Contact our help desk at ***@torproject.org if you have questions or need further assistance.".
>
> 2. As a stop term solution before this feature can be implemented would be listing all the misconfigured relays on a page hosted by torproject.org, and make the page easy to discover by linking to it on relay help pages. Same idea here, I'm sure many are happy to reach out for instructions to correct any misconfigurations, but that does not mean all of us are excited about publishing an email address in a public list, nor it is technically necessary.
>

Thanks for your suggestion. But, in my experience, unrecommended relays
are already listed on Metrics page and operators didn't act/notice until
we got in touch and asked them to upgrade.

Gus

> ________________________________
> From: Georg Koppen 'gk at torproject.org' <z-relay+tor-relays=lists.torproject.org@zestypucker.anonaddy.me>
> Sent: Wednesday, November 10, 2021 6:40 PM
> To: z-relay@zestypucker.anonaddy.me <z-relay@zestypucker.anonaddy.me>
> Subject: Re: [tor-relays] Recent rejection of relays
>
>
> Jonas via tor-relays:
> > Where is this criteria documented?
>
> I am not sure what criteria you mean but we have our bad-relay
> criteria[1] documented at our wiki and keep fingerprints we reject due
> to attacks we noticed there as well[2].
>
> > It seems the tor project, or its designated volunteers, are increasing controlling and managing the network. In the Swiss Federation and EU this turns the tor project into an "online service provider" or "online platform" and subjects one to all sorts of regulations and compliance regimes.
> >
> > We already get enough requests from the police regarding relays hosted in our datacenters. Shall we point them at tor as the network operator?
>
> The Tor Project is not running the network. It's comprised of relays run
> mostly by volunteers. I am actually not really sure either what you are
> proposing to be honest. Shall we just keep the relays attacking our
> users in the network instead?
>
> Georg
>
> [snip]
>
> [1]
> Criteria for rejecting bad relays · Wiki · The Tor Project / Network Health / Team · GitLab
> [2]
> Rejected fingerprints found in attacks · Wiki · The Tor Project / Network Health / Team · GitLab
>
> >
> > ---------- Original Message ----------
> > On Wed, November 10, 2021 at 8:59 AM, Georg Koppen<gk@torproject.org> wrote:
> > Hello everyone!
> >
> > Some of you might have noticed that there is a visible drop of relays on
> > our consensus-health website.[1] The reason for that is that we kicked
> > roughly 600 non-exit relays out of the network yesterday. In fact, only
> > a small fraction of them had the guard flag, so the vast majority were
> > middle-only relays. We don't have any evidence that these relays were
> > doing any attack, but there are attacks possible which relays could
> > perform from the middle position. Therefore, we decided we'd remove
> > those relays for our users' safety sake.
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > tor-relays Info Page
> >
>
>
>
>

> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> tor-relays Info Page

--
The Tor Project
Community Team Lead
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page
  
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

--
The Tor Project
Community Team Lead

+1 to the sentiment behind that query.

Personally I have no requirement for anonymity about the fact that I run Tor relays, so that may colour my views, and may influence what others think about my views. But I do sometimes despair about the angst some people display over not wanting an email address associated with one or more relays. In my experience of close to a decade or more of running relays, with a clear email address in my config file, I have not experienced any spam which I could attribute to that fact. Nor have I seen much in the way of spam to /this/ address, which as Gus has pointed out, is visible on a public mailing list.

Please just add a proper contact address to your relay(s). It will help the project, and will hardly hurt you at all.

Best

Mick

···

On 11 November 2021 17:17:40 GMT, gus <gus@torproject.org> wrote:

What exactly is stopping you to use this email address as your relay contact_info?
This is a *public* mailing list.

cheers,
Gus

--
Sent from a mobile device. Please excuse my brevity.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

Georg Koppen:

Hello everyone!

Some of you might have noticed that there is a visible drop of relays on our consensus-health website.[1] The reason for that is that we kicked roughly 600 non-exit relays out of the network yesterday. In fact, only a small fraction of them had the guard flag, so the vast majority were middle-only relays. We don't have any evidence that these relays were doing any attack, but there are attacks possible which relays could perform from the middle position. Therefore, we decided we'd remove those relays for our users' safety sake.

While we were already tracking some of the relays for a while, a big chunk of them was also independently reported by a cypherpunk and nusenu helped analyzing the data. Thanks to both of them from our side.

Foe what it is worth: a large part of those relays did not set any valid contact info and/or when we tried to contact some of the relays' operators the emails bounced. However, we sometimes need to have ways to reach relay operators, be it for debugging purposes or for helping them with relay misconfiguration. Thus, please set a valid contact info when running relays.

Finally, anyone running relays: try to get connected to the community so we can build some trust among each other. That seems to be an essential part in our long-term strategy to fight bad relays trying to enter our network.

For anyone wondering when a blog post will show up related to the rejections I wrote about above, it seems nusenu has written one:

Make sure to scroll down to the Appendix, though, if you want to see graphs which actually show this rejection. The very first one is confusing as it seems to imply the attacker is still on the network/the attack is ongoing. But that's not the case as far as we know.

An important thing to note as well is making sure *not* to actually use the proposed self-defense as-is. It's not mentioned in the blog post but at the repository linked to:

"""
NOTE: This PoC is NOT fit for general use and not meant to be used by end-users!
"""

We have not finished our analysis for the relay group nusenu is talking about in the blog post, so not sure yet about the findings mentioned there. However, it's nice to see external parties being as vigilant as we in trying to make sure our users have a safe Tor experience. More of that please. :slight_smile:

Georg

1 Like

Could you please list me the massiv malicious actor networks that the Tor Project found out by itself in the last years?

···

On 1. Dec 2021, at 14:32, Georg Koppen <gk@torproject.org> wrote:

We have not finished our analysis for the relay group nusenu is talking about in the blog post, so not sure yet about the findings mentioned there. However, it’s nice to see external parties being as vigilant as we in trying to make sure our users have a safe Tor experience. More of that please. :slight_smile:

abuse department:

Could you please list me the massiv malicious actor networks that the Tor Project found out by itself in the last years?

I am not sure what your criteria for "massive" are but I can try to provide an answer as good as I can.

First, I don't have hard data for the "last years", partly because we did not spend time to collect that data and partly because we did not look closely enough ourselves. Both changed at the begin of this year as it turned out that relying to a large extent on external contributions in this area of our work is not a smart idea for a number of reasons.

Now, while I won't link to any "massiv malicious actor networks" I can link to all the fingerprints we rejected because we found the related relays doing attacks on the network:

As I said in another thread on this list[1] those fingerprints are collected on a monthly basis. While, in general, there is no guarantee that all of those fingerprints are found by Tor Project folks/employees (I don't think at this point it is worth spending time trying to differentiate between Tor Project-found/external contributors-found malicious actors) I took the time to look up the history of all of them as far as we have it.

Apart from 1 fingerprint mentioned in that wiki all of them got reported by our scanners or as a result of our own investigation. That's 680/681 and is not including the massive sybil attack in May, nusenu reported as well.[2] Maybe that's one of those massive malicious actor networks you have in mind? If so, yes, we caught it by ourselves.

I don't know what goal you had in mind with your question, but I hope the above helps a bit at least.

Georg

[1] [tor-relays] malicious exit relays by andrejgvozdev55 at gmail.com
[2] [tor-relays] say hi (and goodbye) to >1000 new exit relays at OVH

···

On 1. Dec 2021, at 14:32, Georg Koppen <gk@torproject.org> wrote:

We have not finished our analysis for the relay group nusenu is talking about in the blog post, so not sure yet about the findings mentioned there. However, it's nice to see external parties being as vigilant as we in trying to make sure our users have a safe Tor experience. More of that please. :slight_smile:

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

1 Like