Everyone is running a reduced exit policy ... I only allow HTTP + HTTPS and I know nobody who allows port 25 .... at the end of the day we all shape our exit traffic.
Markus 2016-10-04 21:42 GMT+02:00 Roger Dingledine <a...@mit.edu>: > On Tue, Oct 04, 2016 at 10:21:14AM -0500, BlinkTor wrote: >> The technical problem is that implementing IPS in Tor would be massively >> non-trivial.[...] >> >> The political problem is, what gets blocked by TIPS and what doesn???t? Who >> gets to decide? What if some of those brute-force SSH or DOS attacks are >> ???good guys??? trying to crack the ???bad guy??? servers? Is that >> legitimate Tor traffic? Who gets to decide who are the good/bad guys? Could >> we agree on a base level of protection, perhaps by relay operator consensus? >> Etc. > > Another challenge here is that many lawyers have told us that you change > your legal situation if you start choosing which traffic to allow > through. Specifically, if you just pass bytes back and forth, you're > essentially in the common carrier situation, like backbone telcos and > backbone Internet providers. But if you make a list of topics or messages > or patterns to block, then it becomes your responsibility to make that > list perfect, and your fault if you leave something out of your list. > > So it would seem that using an IPS is fundamentally dangerous for relay > operators. > > I've heard that this logic applies both in the US and in Europe. But > it's been a while since we've had an actual lawyer look at the topic. > Maybe this is a great question for each of the torservers.net umbrella > orgs to ask their friendly nearby lawyers who are wanting to help them? > > There is also the separate but related question of wiretapping: blocking > some traffic based on patterns in the request content implies looking at > the traffic, which relay operators typically do not have permission to > do. While ISPs typically make their customers sign an agreement that they > will be surveilled (and I guess they ignore the concept of jurisdictions > that require consent from both sides), Tor relay operators do not have > that agreement -- and they can't really get it, because their 'users' > are all the Tor users. > > In summary, I totally get why hosting providers would want to ask relay > operators to monitor their traffic and block certain activities by > examining connection payloads, and that's to make their lives easier, > not for any legal requirement. But it would appear there are some legal > reasons why Tor relay operators might (should?) hesitate to deploy > an IPS on their traffic, and those legal reasons are probably not as > well-understood as they could be. > > Do any of the torservers umbrella orgs want to pick this one up and do > something with it? I remember hearing Pepijn cite a specific EU law that > says European relay operators aren't liable for their traffic so long > as they don't mess with it. > > One of the goals would be for relay operators to better understand the > tradeoff they should consider when deciding whether to do the thing > that their ISP asks for. Another goal would be for the ISP to better > understand what they're asking from the relay operators. > > --Roger > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
