If you do a DNS lookup of torproject.org, you’ll find that one of the website’s hosts is TeamCymru:
Why is Tor being hosted on Team Cymru’s network, a data broker known to sell internet backbone data to companies. Their careers page states that “We do this through a suite of offerings that reduce business risk by providing attack surface + vulnerabilities + threats so both the C-suite and security teams gain the vantage points they need.” Translation: They sell data in the same of security.
Why is Tor giving a for-profit company like this permission to host the Tor Project website?
For the sake of my own curiosity: does it matter? Why should that be of great concern (particularly considering TLS and such) that IP access via Team Cymru would be more relevant any other ISP, or more concerning than, say, an exit node in .ru?
Even if Team Cymru sells a slice of data that is netflow data thought to be Tor Browser downloads, let’s talk about what anyone would do with that data before we start using more tinfoil.
I’m not saying it’s not a valid question, but I would argue it would be more productive to discuss the potential harms involved in any entity providing IP access to torproject.org, and what ideally should be done about it.
Adding two sources to your OSINT:
search Tor Project | People for Cymru and consider this (Faravahar) directory authority somehow affiliated to Cymru…
Ooooh, the Tor website is hosted by a Tor Project supporter. How terrible. Would Amazon, Google, Oracle, whatever cloud be better?
You can access the Tor website via the hidden service.
It’s commonly known that Rabbi Rob Thomas, founder and CEO of Team Cymru, is a member of The Tor Project’s Board of Directors & that Team Cymru is running Tor Relays.
Communities can get a free BGP-based anti-DDoS service from them for their ASN.
What someone might do is to deanonymize flows, which is exactly what Tor is supposed to prevent.
It doesn’t matter who hosts Tor’s Web site. It is a matter of concern that Cymru’s founder/boss is on the Tor Project’s board of directors. Sorry, Rob, even to me what you’re doing didn’t seem so harmful back in the day, but now it’s clearly not OK. And it’s a conflict of interest.
Oh, and by the way, the fact that it’s legal to collect those data in the first place, let alone aggregate them, is a bad public policy failure.