[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Contacted by "oompaloompa" operator: BadExit removed



I was contacted by the operator of oompaloompa. He has changed the
exit policy of his two nodes to the "Reduced" policy:
http://torstatus.blutmagie.de/router_detail.php?FP=775df6b8cf3fb0150a594f6e2b5cb1e0ac45d09b
http://torstatus.blutmagie.de/router_detail.php?FP=babbf0694251e5aff7bf3a0a02efdc12cb99b05f

He said that he started those two nodes as a test to experiment with
Tor, and picked the exit policy quickly off the top of his head,
keeping it brief because it was tedious to write.

He also gave the following reasons why one might want an exit policy
like this (though he said none of these were his reasons):

1. Crypto may not be legal

The problem with this is that Tor is already pumping a ton of crypto
that was designed to look as much like web TLS as possible. Chaning
your exit policy doesn't really help this.

2. IDSs could prevent attacks

This would be a great idea in theory, if it ever worked. In practice,
IDSs end up being censorship devices for security mailinglists,
exploit advisory info, and other information on computer security.
We've actually already BadExited quite a few of these types of nodes,
because our exit scanner detects the censorship.

3. Plausible deniability due to eliminating additional TLS fingerprints

This is an interesting one, and I think I misread what he meant when
he first said it, but if it means not having the additional TLS
fingerprints of tor client traffic so that your TLS traffic doesn't
stand out in the Tor noise, I don't think this works out for you. You
end up being obvious because your node would not exit to any TLS
ports.


At any rate, because the Exit Policy has changed, I've personally
updated my authority to remove the BadExit. I believe we're still
waiting on one of Roger or Peter.



-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpS9Pzg6OrdQ.pgp
Description: PGP signature