I was contacted by the operator of oompaloompa. He has changed the exit policy of his two nodes to the "Reduced" policy: http://torstatus.blutmagie.de/router_detail.php?FP=775df6b8cf3fb0150a594f6e2b5cb1e0ac45d09b http://torstatus.blutmagie.de/router_detail.php?FP=babbf0694251e5aff7bf3a0a02efdc12cb99b05f He said that he started those two nodes as a test to experiment with Tor, and picked the exit policy quickly off the top of his head, keeping it brief because it was tedious to write. He also gave the following reasons why one might want an exit policy like this (though he said none of these were his reasons): 1. Crypto may not be legal The problem with this is that Tor is already pumping a ton of crypto that was designed to look as much like web TLS as possible. Chaning your exit policy doesn't really help this. 2. IDSs could prevent attacks This would be a great idea in theory, if it ever worked. In practice, IDSs end up being censorship devices for security mailinglists, exploit advisory info, and other information on computer security. We've actually already BadExited quite a few of these types of nodes, because our exit scanner detects the censorship. 3. Plausible deniability due to eliminating additional TLS fingerprints This is an interesting one, and I think I misread what he meant when he first said it, but if it means not having the additional TLS fingerprints of tor client traffic so that your TLS traffic doesn't stand out in the Tor noise, I don't think this works out for you. You end up being obvious because your node would not exit to any TLS ports. At any rate, because the Exit Policy has changed, I've personally updated my authority to remove the BadExit. I believe we're still waiting on one of Roger or Peter. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpS9Pzg6OrdQ.pgp
Description: PGP signature