I'll be your Middle any time. (Since you probably can't reach me for your Guard.) Good luck, friend.
On Wed, Apr 4, 2018, 00:05 <jackoream...@tutanota.com> wrote: > For those who may skip emails by the subject line, I resend my own email. > > There is a sinking feel in general over here, where a bunch of us learn > more about Tor. We learnt we cannot run our own relays because here > censorship is very strong; at the same time, we realize we have many relay > operators in other countries to thank, for giving us a window into the > world. > > Thank you. And I write this email over Tor. > > - Jack > > > Date: 4. Apr 2018 03:55 > From: jackoream...@tutanota.com > To: tor-relays@lists.torproject.org > Cc: tor-relays@lists.torproject.org > Subject: Re: [tor-relays] tor-relays Digest, Vol 87, Issue 4 > > We had some more discussions over here, and someone pointed out a key fact > which we novices did not get at first - the Tor network does not REALLY > trust the relay operators until the directory authorities DAs (whose IPs > are hardcoded into the source code) can check them out and then vote about > what they have learnt about these relays. If relays pass that test, they > get onto a live document called the "Consensus" (between the DAs). So new > clients to the network trust these DAs and they trust the consensus reached > by the DAs. That is how new clients learn the network topology and find > relays to connect to. > > So we were wrong on a few points: > (1) we thought we can contribute to the relay networks without being > detected, but basically no - you cannot contribute to the relay network > unless you are in the consensus, and if you are in the consensus, your IP > address is world readable. > (2) a private bridge is providing relay WITHOUT publishing descriptors to > the consensus, so it is a hybrid creature: (a) it appears as a client to > the Tor network proper, being hidden from the consensus, and therefore > cannot help relay traffic; (b) it appears as a relay server to connecting > clients but unlike relays already on the consensus certain clients trust it > because they know about the private bridge from channels they trust outside > the Tor consensus; and these clients gain a extra measure of security from > whatever obfuscation the bridge can offer. > > So by design, Tor does not trust and cannot completely trust a relay that > just pops up one day. There is no way for Tor DAs to work with a relay > node that hides itself behind a VPN. > > So in the area where we live, if we run a relay, we will be caught, plain > and simple. No way around it. No way for us to contribute by running a > relay. Zero, nada. We utterly depend on bridges hosted outside our > geography, to have any hope of accessing Tor. Some of us who have > facilities in another country might help, but for us that is comparatively > difficult and expensive. > > The only reason I can access the "outside world" is due to people who > hosts bridges for us. If you guys pack and go home, nothing we can do. > Zero, nada. I am writing this email over Tor. > > - Jack > > 3. Apr 2018 16:02 by developm...@jivanamara.net: > > Hey Jack, > > Here's my understanding of your concerns, anyone else please chime in if > I'm mistaken anywhere. > > For running a normal relay compared to a client connecting to a relay > via obfs4, it's less likely to be discovered by examining the content of > traffic. The obfs4 protocol is designed to disguise the connection > between a client (i.e. torbrowser). Once the traffic hits a relay, the > interaction between relays contains less opportunities to identify it as > tor traffic as opposed to any other encrypted traffic. > > That being said, there are a couple of other things that would make it > very easy to identify a TOR relay. First, by default, relays are listed > for anyone to examine. > > Second, if the authorities are watching, the change in traffic to/from > your home computer will be pretty obvious. > > Regarding your concerns about children being inappropriately exposed to > the dark web, running a relay will make very little difference compared > to not running one. For your children to see the content of the dark > web they'll need to install torbrowser (or equivalent) and that's going > to be the same whether or not you're running a relay. The only > potential difference is that if in your area it's very difficult to > connect to the tor network and your children know you're running a > relay, with some knowledge they could configure torbrowser to connect > first to your relay. In some sense, if the authorities are successful > in blocking access to the tor network, you could be enabling their romps > on the dark web. > > HTH > > Jivan > > > On 04/03/2018 02:38 AM, tor-relays-requ...@lists.torproject.org wrote: > > Send tor-relays mailing list submissions to > tor-relays@lists.torproject.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > or, via email, send a message with subject or body 'help' to > tor-relays-requ...@lists.torproject.org > > You can reach the person managing the list at > tor-relays-ow...@lists.torproject.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of tor-relays digest..." > > > Today's Topics: > > 1. Re: failed setup of obfs4 on relay (jackoream...@tutanota.com) > 2. Re: failed setup of obfs4 on relay (jackoream...@tutanota.com) > 3. Re: Estimation of bridge traffic / Bridge or relay needed? > (jackoream...@tutanota.com) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 3 Apr 2018 05:00:18 +0200 (CEST) > From: <jackoream...@tutanota.com> > To: <tor-relays@lists.torproject.org> > Cc: <tor-relays@lists.torproject.org> > Subject: Re: [tor-relays] failed setup of obfs4 on relay > Message-ID: <l98ret7--...@tutanota.com> > Content-Type: text/plain; charset="utf-8" > > Thank you all, that was very helpful. - Jack > > 30. Mar 2018 20:53 by a...@mit.edu <mailto:a...@mit.edu>: > > On Fri, Mar 30, 2018 at 04:52:23PM -0400, Roger Dingledine wrote: > > For obfs4, the active prober doesn't know the secret "cert" parameter, > > For far far more detail on the various pluggable transports and how > they look on the wire, check out this awesome page that David Fifield > put together: > > > https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports > < > https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports > > > > --Roger > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays < > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/1e860483/attachment-0002.html > > > > ------------------------------ > > Message: 2 > Date: Tue, 3 Apr 2018 05:00:18 +0200 (CEST) > From: <jackoream...@tutanota.com> > To: <tor-relays@lists.torproject.org> > Cc: <tor-relays@lists.torproject.org> > Subject: Re: [tor-relays] failed setup of obfs4 on relay > Message-ID: <l98ret7--...@tutanota.com> > Content-Type: text/plain; charset="utf-8" > > Thank you all, that was very helpful. - Jack > > 30. Mar 2018 20:53 by a...@mit.edu <mailto:a...@mit.edu>: > > On Fri, Mar 30, 2018 at 04:52:23PM -0400, Roger Dingledine wrote: > > For obfs4, the active prober doesn't know the secret "cert" parameter, > > For far far more detail on the various pluggable transports and how > they look on the wire, check out this awesome page that David Fifield > put together: > > > https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports > < > https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports > > > > --Roger > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays < > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/1e860483/attachment-0003.html > > > > ------------------------------ > > Message: 3 > Date: Tue, 3 Apr 2018 10:38:38 +0200 (CEST) > From: <jackoream...@tutanota.com> > To: <tor-relays@lists.torproject.org> > Cc: <tor-relays@lists.torproject.org> > Subject: Re: [tor-relays] Estimation of bridge traffic / Bridge or > relay needed? > Message-ID: <l99e63k--...@tutanota.com> > Content-Type: text/plain; charset="utf-8" > > Want to follow up the discussion on encouraging people to run relays. > > The powers that be where I live now heavily frowns upon VPN and Tor. And > a fair number in our community is sensing further tightening in the air. > > Today we had a discussion, we had a lot of questions. I try to summarize > below and see if we can fact-check and learn more. > > (1) Advocacy: Background - Someone raised the idea that we should each run > a Tor relay in each of our house. Someone said the powers that be cannot > put all of us in jail if we get enough people to host Tor. A parent among > us said, "I never before had an urge to run a VPN or Tor. But when running > encryption and sharing a VPN tunnel with a criminal on the next packet is > required to ensure your freedom to read BBC, you feel queasy and you worry > what your underage kids might stumble on, things they are too young to deal > with on the dark web. But loosing the freedom to read BBC makes me feel > beyond queasy, beyond nauseated, and bilious, and sick..." He used a few > more adjectives that I cannot spell. There were non technical users who > expressed interest to run a non-exit relay, but only if they will be able > to run an installer and click the next button and only use default > options. And only if they can feel assured they understand the risks. > > (1.a) Their underage kids will not stumble on the dark web before they > are old enough to know they are doing. Underage kids should not be able to > stumble on the dark web on the computer the Tor relay is run (and what must > be done to assure that). And underage kids should not be able to stumble > on the dark web by being on the same WIFI network in the house. > > (1.b) There are different degrees of fear of risks. Some are brave > enough to run a non-relay in the house where they live. We think they need > to assume they can be detected. Some were only willing to consider if the > non-exit Tor cannot be easily detected. The definition of not easily > varies: > - as difficult to detect as the obfs4 bridge protocol (but someone said > the bridge protocol only works between a Tor client and a Tor relay, but > not between a Tor relay and another Tor relay; we have not been able to > confirm this by our own efforts) > - as difficult as the meek protocol (someone said the idea of meek is to > encrypt Tor packets and send it to a unblocked IP/domain, where the traffic > is decrypted and copied to a proper Tor network); someone said he is > willing to run a meek server to accept incoming connections, but only if > the outgoing connections are at least obfs4. Someone said if we have many > thousands of these tiny meek nodes hosted at our home address, we offload > the official meek proxies run on amazon and azure. And even if we > contribute only 1kb/s each, it is going to be more than sharing the cost - > the idea is we want a high level of household penetration so that the > powers that be find it hard to clamp us down. > - as difficult to detect as protected by a VPN. Someone said he would > pay for a VPN package, run a relay on a machine which only talks to the > world through the VPN. But someone said that works for a Tor client, but > not for a relay because a relay would need to have its own IP and listen on > certain ports on that IP, and so because you VPN exit point will not let > you listen on any port numbers, even if he is willing to pay for a > commercial VPN that exits in another country, his tor relay cannot accepts > incoming connections. Some people would give up running a non-exit if this > cannot be done. The only IP they can access is where they sleep, and they > want to be able to sleep well. Not just them, but their wife and their > children needs to sleep well too. Is the ability to accept incoming > connections a requirement to running a non-exit relay? > > (2) There is a sentiment that we should get "every household to run a Tor" > so that the powers that be will find it much harder to clamp down. Someone > said he would install a Tor relay on every single computer he controls, to > support journalism and news reporting, if what he contributes ONLY goes > towards beating censorship against the media. He said he feels it is a > much easier sell if the sole function of that node is to allow people > living under censorship to read newspaper. He said if there is a funding > campaign to deploy the onion enterprise toolkit for news media, he will > want to direct his donation specifically to those. Or if he can run an > exit relay ONLY for for the BBC news domain. He said, then running Tor is > a much easier sell to his family and friends. If the police brings him in, > the back and forth will not be "we observed spams and hacks and viruses and > copyright infringements on your IP", but the back and forth will just be > "you are reading something you should not read on the web" and we can have > a much better chance of advocating for "Tor relay in every home". We know > in general Tor supports more network access than reading the news. But > compared to countries where the freedom to run Tor exits are protected by > law, living where we live we want to make it a much easier sell, and > eventually to get a higher penetration so that the penetration itself > becomes a barrier for the powers that be to clamp us down. > > And as we are not experts, and as we run real risks, and as we want our > family to sleep well, we have framed our "requirements" or "prerequisites" > to run Tor relays almost beyond the reasonable. You might want to call us > paranoid. If there is a way for us paranoid people to run relays and to > advocate, please help us. > > Jack > > 2. Apr 2018 07:36 by a...@mit.edu <mailto:a...@mit.edu>: > > On Mon, Apr 02, 2018 at 03:32:00AM -0400, grarpamp wrote: > > > https://www.torproject.org/docs/faq#RelayOrBridge < > https://www.torproject.org/docs/faq#RelayOrBridge> > > > > "If you have lots of bandwidth, you should definitely run a > normal relay. > > If you're willing to be an exit, you should definitely run a > normal > > relay, since we need more exits. If you can't be an exit and > only have a > > little bit of bandwidth, be a bridge. Thanks for volunteering!" > > The 'normal's above are ambiguous and conflicting. > Replace them with 'non-exit' and 'exit'. > > > Ah, actually no, replace them with "relay" and "relay". > > In that text, "normal relay" is as opposed to "bridge relay". > > The FAQ text sure needs some updating. > > --Roger > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org < > mailto:tor-relays@lists.torproject.org> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays < > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.torproject.org/pipermail/tor-relays/attachments/20180403/ead69030/attachment.html > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > ------------------------------ > > End of tor-relays Digest, Vol 87, Issue 4 > ***************************************** > > > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -- Matthew Glennon matthew@glennon.online PGP Signing Available Upon Request https://keybase.io/crazysane
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
