For those who may skip emails by the subject line, I resend my own email.
There is a sinking feel in general over here, where a bunch of us learn more
about Tor. We learnt we cannot run our own relays because here censorship is
very strong; at the same time, we realize we have many relay operators in other
countries to thank, for giving us a window into the world.
Thank you. And I write this email over Tor.
- Jack
Date: 4. Apr 2018 03:55
From: jackoream...@tutanota.com <mailto:jackoream...@tutanota.com>
To: tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org>
Cc: tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org>
Subject: Re: [tor-relays] tor-relays Digest, Vol 87, Issue 4
> We had some more discussions over here, and someone pointed out a key
> fact which we novices did not get at first - the Tor network does not REALLY
> trust the relay operators until the directory authorities DAs (whose IPs are
> hardcoded into the source code) can check them out and then vote about what
> they have learnt about these relays. If relays pass that test, they get onto
> a live document called the "Consensus" (between the DAs). So new clients to
> the network trust these DAs and they trust the consensus reached by the DAs.
> That is how new clients learn the network topology and find relays to connect
> to.
>
> So we were wrong on a few points:
> (1) we thought we can contribute to the relay networks without being
> detected, but basically no - you cannot contribute to the relay network
> unless you are in the consensus, and if you are in the consensus, your IP
> address is world readable.
> (2) a private bridge is providing relay WITHOUT publishing descriptors to the
> consensus, so it is a hybrid creature: (a) it appears as a client to the Tor
> network proper, being hidden from the consensus, and therefore cannot help
> relay traffic; (b) it appears as a relay server to connecting clients but
> unlike relays already on the consensus certain clients trust it because they
> know about the private bridge from channels they trust outside the Tor
> consensus; and these clients gain a extra measure of security from whatever
> obfuscation the bridge can offer.
>
> So by design, Tor does not trust and cannot completely trust a relay that
> just pops up one day. There is no way for Tor DAs to work with a relay node
> that hides itself behind a VPN.
>
> So in the area where we live, if we run a relay, we will be caught, plain and
> simple. No way around it. No way for us to contribute by running a relay.
> Zero, nada. We utterly depend on bridges hosted outside our geography, to
> have any hope of accessing Tor. Some of us who have facilities in another
> country might help, but for us that is comparatively difficult and expensive.
>
> The only reason I can access the "outside world" is due to people who hosts
> bridges for us. If you guys pack and go home, nothing we can do. Zero,
> nada. I am writing this email over Tor.
>
> - Jack
>
> 3. Apr 2018 16:02 by > developm...@jivanamara.net
> <mailto:developm...@jivanamara.net>> :
>
>
>> Hey Jack,
>>
>> Here's my understanding of your concerns, anyone else please chime in if
>> I'm mistaken anywhere.
>>
>> For running a normal relay compared to a client connecting to a relay
>> via obfs4, it's less likely to be discovered by examining the content of
>> traffic. The obfs4 protocol is designed to disguise the connection
>> between a client (i.e. torbrowser). Once the traffic hits a relay, the
>> interaction between relays contains less opportunities to identify it as
>> tor traffic as opposed to any other encrypted traffic.
>>
>> That being said, there are a couple of other things that would make it
>> very easy to identify a TOR relay. First, by default, relays are listed
>> for anyone to examine.
>>
>> Second, if the authorities are watching, the change in traffic to/from
>> your home computer will be pretty obvious.
>>
>> Regarding your concerns about children being inappropriately exposed to
>> the dark web, running a relay will make very little difference compared
>> to not running one. For your children to see the content of the dark
>> web they'll need to install torbrowser (or equivalent) and that's going
>> to be the same whether or not you're running a relay. The only
>> potential difference is that if in your area it's very difficult to
>> connect to the tor network and your children know you're running a
>> relay, with some knowledge they could configure torbrowser to connect
>> first to your relay. In some sense, if the authorities are successful
>> in blocking access to the tor network, you could be enabling their romps
>> on the dark web.
>>
>> HTH
>>
>> Jivan
>>
>>
>> On 04/03/2018 02:38 AM, >> tor-relays-requ...@lists.torproject.org
>> <mailto:tor-relays-requ...@lists.torproject.org>>> wrote:
>>> Send tor-relays mailing list submissions to
>>> >>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
>>> or, via email, send a message with subject or body 'help' to
>>> >>> tor-relays-requ...@lists.torproject.org
>>> <mailto:tor-relays-requ...@lists.torproject.org>
>>>
>>> You can reach the person managing the list at
>>> >>> tor-relays-ow...@lists.torproject.org
>>> <mailto:tor-relays-ow...@lists.torproject.org>
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of tor-relays digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: failed setup of obfs4 on relay (>>> jackoream...@tutanota.com
>>> <mailto:jackoream...@tutanota.com>>>> )
>>> 2. Re: failed setup of obfs4 on relay (>>> jackoream...@tutanota.com
>>> <mailto:jackoream...@tutanota.com>>>> )
>>> 3. Re: Estimation of bridge traffic / Bridge or relay needed?
>>> (>>> jackoream...@tutanota.com <mailto:jackoream...@tutanota.com>>>> )
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Tue, 3 Apr 2018 05:00:18 +0200 (CEST)
>>> From: <>>> jackoream...@tutanota.com <mailto:jackoream...@tutanota.com>>>> >
>>> To: <>>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>>>> >
>>> Cc: <>>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>>>> >
>>> Subject: Re: [tor-relays] failed setup of obfs4 on relay
>>> Message-ID: <>>> l98ret7--...@tutanota.com
>>> <mailto:l98ret7--...@tutanota.com>>>> >
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Thank you all, that was very helpful. - Jack
>>>
>>> 30. Mar 2018 20:53 by >>> a...@mit.edu <mailto:a...@mit.edu>>>> <>>>
>>> mailto:a...@mit.edu <mailto:mailto:a...@mit.edu>>>> >:
>>>
>>>
>>>> On Fri, Mar 30, 2018 at 04:52:23PM -0400, Roger Dingledine wrote:
>>>>> For obfs4, the active prober doesn't know the secret "cert" parameter,
>>>> For far far more detail on the various pluggable transports and how
>>>> they look on the wire, check out this awesome page that David Fifield
>>>> put together:
>>>>
>>>> https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
>>>>
>>>> <https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports>>>>>
>>>> <>>>>
>>>> https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
>>>>
>>>> <https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports>>>>>
>>>> >
>>>>
>>>> --Roger
>>>>
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays@lists.torproject.org
>>>> <mailto:tor-relays@lists.torproject.org>>>>> <>>>>
>>>> mailto:tor-relays@lists.torproject.org
>>>> <mailto:mailto:tor-relays@lists.torproject.org>>>>> >
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>>>>>
>>>> <>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>>>>> >
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <>>>
>>> http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/1e860483/attachment-0002.html
>>>
>>> <http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/1e860483/attachment-0002.html>>>>
>>> >
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Tue, 3 Apr 2018 05:00:18 +0200 (CEST)
>>> From: <>>> jackoream...@tutanota.com <mailto:jackoream...@tutanota.com>>>> >
>>> To: <>>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>>>> >
>>> Cc: <>>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>>>> >
>>> Subject: Re: [tor-relays] failed setup of obfs4 on relay
>>> Message-ID: <>>> l98ret7--...@tutanota.com
>>> <mailto:l98ret7--...@tutanota.com>>>> >
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Thank you all, that was very helpful. - Jack
>>>
>>> 30. Mar 2018 20:53 by >>> a...@mit.edu <mailto:a...@mit.edu>>>> <>>>
>>> mailto:a...@mit.edu <mailto:mailto:a...@mit.edu>>>> >:
>>>
>>>
>>>> On Fri, Mar 30, 2018 at 04:52:23PM -0400, Roger Dingledine wrote:
>>>>> For obfs4, the active prober doesn't know the secret "cert" parameter,
>>>> For far far more detail on the various pluggable transports and how
>>>> they look on the wire, check out this awesome page that David Fifield
>>>> put together:
>>>>
>>>> https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
>>>>
>>>> <https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports>>>>>
>>>> <>>>>
>>>> https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
>>>>
>>>> <https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports>>>>>
>>>> >
>>>>
>>>> --Roger
>>>>
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays@lists.torproject.org
>>>> <mailto:tor-relays@lists.torproject.org>>>>> <>>>>
>>>> mailto:tor-relays@lists.torproject.org
>>>> <mailto:mailto:tor-relays@lists.torproject.org>>>>> >
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>>>>>
>>>> <>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>>>>> >
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <>>>
>>> http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/1e860483/attachment-0003.html
>>>
>>> <http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/1e860483/attachment-0003.html>>>>
>>> >
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Tue, 3 Apr 2018 10:38:38 +0200 (CEST)
>>> From: <>>> jackoream...@tutanota.com <mailto:jackoream...@tutanota.com>>>> >
>>> To: <>>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>>>> >
>>> Cc: <>>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>>>> >
>>> Subject: Re: [tor-relays] Estimation of bridge traffic / Bridge or
>>> relay needed?
>>> Message-ID: <>>> l99e63k--...@tutanota.com
>>> <mailto:l99e63k--...@tutanota.com>>>> >
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Want to follow up the discussion on encouraging people to run relays.
>>>
>>> The powers that be where I live now heavily frowns upon VPN and Tor. And a
>>> fair number in our community is sensing further tightening in the air.
>>>
>>> Today we had a discussion, we had a lot of questions. I try to summarize
>>> below and see if we can fact-check and learn more.
>>>
>>> (1) Advocacy: Background - Someone raised the idea that we should each run
>>> a Tor relay in each of our house. Someone said the powers that be cannot
>>> put all of us in jail if we get enough people to host Tor. A parent among
>>> us said, "I never before had an urge to run a VPN or Tor. But when running
>>> encryption and sharing a VPN tunnel with a criminal on the next packet is
>>> required to ensure your freedom to read BBC, you feel queasy and you worry
>>> what your underage kids might stumble on, things they are too young to deal
>>> with on the dark web. But loosing the freedom to read BBC makes me feel
>>> beyond queasy, beyond nauseated, and bilious, and sick..." He used a few
>>> more adjectives that I cannot spell. There were non technical users who
>>> expressed interest to run a non-exit relay, but only if they will be able
>>> to run an installer and click the next button and only use default options.
>>> And only if they can feel assured they understand the risks.
>>>
>>> (1.a) Their underage kids will not stumble on the dark web before they
>>> are old enough to know they are doing. Underage kids should not be able to
>>> stumble on the dark web on the computer the Tor relay is run (and what must
>>> be done to assure that). And underage kids should not be able to stumble
>>> on the dark web by being on the same WIFI network in the house.
>>>
>>> (1.b) There are different degrees of fear of risks. Some are brave
>>> enough to run a non-relay in the house where they live. We think they need
>>> to assume they can be detected. Some were only willing to consider if the
>>> non-exit Tor cannot be easily detected. The definition of not easily
>>> varies:
>>> - as difficult to detect as the obfs4 bridge protocol (but someone said
>>> the bridge protocol only works between a Tor client and a Tor relay, but
>>> not between a Tor relay and another Tor relay; we have not been able to
>>> confirm this by our own efforts)
>>> - as difficult as the meek protocol (someone said the idea of meek is to
>>> encrypt Tor packets and send it to a unblocked IP/domain, where the traffic
>>> is decrypted and copied to a proper Tor network); someone said he is
>>> willing to run a meek server to accept incoming connections, but only if
>>> the outgoing connections are at least obfs4. Someone said if we have many
>>> thousands of these tiny meek nodes hosted at our home address, we offload
>>> the official meek proxies run on amazon and azure. And even if we
>>> contribute only 1kb/s each, it is going to be more than sharing the cost -
>>> the idea is we want a high level of household penetration so that the
>>> powers that be find it hard to clamp us down.
>>> - as difficult to detect as protected by a VPN. Someone said he would
>>> pay for a VPN package, run a relay on a machine which only talks to the
>>> world through the VPN. But someone said that works for a Tor client, but
>>> not for a relay because a relay would need to have its own IP and listen on
>>> certain ports on that IP, and so because you VPN exit point will not let
>>> you listen on any port numbers, even if he is willing to pay for a
>>> commercial VPN that exits in another country, his tor relay cannot accepts
>>> incoming connections. Some people would give up running a non-exit if this
>>> cannot be done. The only IP they can access is where they sleep, and they
>>> want to be able to sleep well. Not just them, but their wife and their
>>> children needs to sleep well too. Is the ability to accept incoming
>>> connections a requirement to running a non-exit relay?
>>>
>>> (2) There is a sentiment that we should get "every household to run a Tor"
>>> so that the powers that be will find it much harder to clamp down. Someone
>>> said he would install a Tor relay on every single computer he controls, to
>>> support journalism and news reporting, if what he contributes ONLY goes
>>> towards beating censorship against the media. He said he feels it is a
>>> much easier sell if the sole function of that node is to allow people
>>> living under censorship to read newspaper. He said if there is a funding
>>> campaign to deploy the onion enterprise toolkit for news media, he will
>>> want to direct his donation specifically to those. Or if he can run an
>>> exit relay ONLY for for the BBC news domain. He said, then running Tor is
>>> a much easier sell to his family and friends. If the police brings him in,
>>> the back and forth will not be "we observed spams and hacks and viruses and
>>> copyright infringements on your IP", but the back and forth will just be
>>> "you are reading something you should not read on the web" and we can have
>>> a much better chance of advocating for "Tor relay in every home". We know
>>> in general Tor supports more network access than reading the news. But
>>> compared to countries where the freedom to run Tor exits are protected by
>>> law, living where we live we want to make it a much easier sell, and
>>> eventually to get a higher penetration so that the penetration itself
>>> becomes a barrier for the powers that be to clamp us down.
>>>
>>> And as we are not experts, and as we run real risks, and as we want our
>>> family to sleep well, we have framed our "requirements" or "prerequisites"
>>> to run Tor relays almost beyond the reasonable. You might want to call us
>>> paranoid. If there is a way for us paranoid people to run relays and to
>>> advocate, please help us.
>>>
>>> Jack
>>>
>>> 2. Apr 2018 07:36 by >>> a...@mit.edu <mailto:a...@mit.edu>>>> <>>>
>>> mailto:a...@mit.edu <mailto:mailto:a...@mit.edu>>>> >:
>>>
>>> On Mon, Apr 02, 2018 at 03:32:00AM -0400, grarpamp wrote:
>>>
>>> > >>> https://www.torproject.org/docs/faq#RelayOrBridge
>>> <https://www.torproject.org/docs/faq#RelayOrBridge>>>> <>>>
>>> https://www.torproject.org/docs/faq#RelayOrBridge
>>> <https://www.torproject.org/docs/faq#RelayOrBridge>>>> >
>>> >
>>> > "If you have lots of bandwidth, you should definitely run a
>>> normal relay.
>>> > If you're willing to be an exit, you should definitely run a
>>> normal
>>> > relay, since we need more exits. If you can't be an exit and only
>>> have a
>>> > little bit of bandwidth, be a bridge. Thanks for volunteering!"
>>>
>>> The 'normal's above are ambiguous and conflicting.
>>> Replace them with 'non-exit' and 'exit'.
>>>
>>>
>>> Ah, actually no, replace them with "relay" and "relay".
>>>
>>> In that text, "normal relay" is as opposed to "bridge relay".
>>>
>>> The FAQ text sure needs some updating.
>>>
>>> --Roger
>>>
>>> _______________________________________________
>>> tor-relays mailing list
>>> >>> tor-relays@lists.torproject.org
>>> <mailto:tor-relays@lists.torproject.org>>>> <>>>
>>> mailto:tor-relays@lists.torproject.org
>>> <mailto:mailto:tor-relays@lists.torproject.org>>>> >
>>> >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>>>> <>>>
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>>>> >
>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <>>>
>>> http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/ead69030/attachment.html
>>>
>>> <http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/ead69030/attachment.html>>>>
>>> >
>>>
>>> ------------------------------
>>>
>>> Subject: Digest Footer
>>>
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org>
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
>>>
>>>
>>> ------------------------------
>>>
>>> End of tor-relays Digest, Vol 87, Issue 4
>>> *****************************************
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org>
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
