Silk Road forums

Discussion => Security => Topic started by: bp on July 17, 2011, 09:52 am

Title: Anyone adding the exclude nodes list
Post by: bp on July 17, 2011, 09:52 am
into the torc file?
The list of supposedly bad (dangerous) nodes listed at the tor project site?
I went ahead and did it. It seems adding nodes would be the most dangerous thing you could do if they were unknown.
Just wondering what the smart guys do.
Title: Re: Anyone adding the exclude nodes list
Post by: bp on July 20, 2011, 01:11 am
Found here:     http://xqz3u5drneuzhaeo.onion/users/badtornodes/
by browsing the hidden wiki or a mirror.......when you can connect.
Title: Re: Anyone adding the exclude nodes list
Post by: emanresu on July 20, 2011, 01:30 am
Tor project suggests that you do not exclude nodes. They already exclude nodes from the directory servers if they detect them as bad. Some of the nodes listed in many of the 'omg bad nodes' lists are excluded for stupid reasons.
Title: Re: Anyone adding the exclude nodes list
Post by: bp on July 20, 2011, 01:49 am
These people, it seems, did a comparison and observed injected/modified data between the same connection sent through the nodes marked as "bad".
I was reading up a bit on configuring Tor for custom circuits. Using a 2 hop circuit through confirmed good nodes and a known good exit node can be used as a benchmark for testing whether data is being modified through a given node or circuit. Whether that modification is malicious or threatening to your security is another case as it isn't always apparently.
Title: Re: Anyone adding the exclude nodes list
Post by: CrunchyFrog on July 20, 2011, 04:00 am
What legitimate reason would a relay operator have for modifying *anything* passing through his/her node?  Aside from adding/removing encryption (as required), none that I can think of.  And if (s)he does, is it malicious or just misconfiguration?  Who knows?

There are just too many other relays out there that *don't* screw with their traffic -- or have "unusual" exit policies -- to deal with the ones that do, IMO.  Figure that at worst you're losing the use of a few dozen relays out of several hundreds.  Plus, exiting (or entering) through a relay operating in an IP block (or subnet) associated with the U.S. government doesn't strike me as entirely without risk.  But that's just me.  ;)
Title: Re: Anyone adding the exclude nodes list
Post by: ierjwiew on July 20, 2011, 10:06 am
At worst you are using a partitioned set of relays that most Tor users don't exclusively use, which could open you up to attacks. It's the same reason why you need to use at least two entry guards from different families, if you use one entry guard you can never use an exit from its family and this allow an attacker to see 'hey he never uses exits from this family so his entry is probably in the family!' I don't think using the exclude node list is quite as bad, but Tor project already removes nodes that modify the stream from the directory authority. If there is some simple test to run to detect bad nodes, Tor project is already removing them from the directory authority servers. They do quite a few scripted tests on the Tor network to remove bad nodes from even being listed. So although I can not immediately think of a specific reason not to use this exclude node list, I know that in general Tor project suggests against making changes like this, and indeed it does partition your relays although I am not sure how bad the attacks that lead from this specific instance could be.
Title: Re: Anyone adding the exclude nodes list
Post by: Kind Bud on July 20, 2011, 02:53 pm
can someone provide torproject.org links (or elsewhere) where this is discussed? I read though the badtornodes pages but would love some veteran tor operator's opinions.
Title: Re: Anyone adding the exclude nodes list
Post by: btcfreedom on July 20, 2011, 03:52 pm
Tor project suggests that you do not exclude nodes. They already exclude nodes from the directory servers if they detect them as bad. Some of the nodes listed in many of the 'omg bad nodes' lists are excluded for stupid reasons.

Just proxy two, maybe three times to another country, and change your identity during every session. problem solved. No need to fuck with torc file.