Opened 6 years ago

Closed 3 years ago

#4923 closed enhancement (wontfix)

badexiting (or rejecting) relays from certain bad countries by default

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Keywords: tor-auth
Cc: mikeperry, ln5 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Now that #4207 is in 0.2.3, we should set some default values for AuthDirBadExitCC.

We've got two directions we can go here.

First is to enumerate all countries that mess with their internet 'too much'. I bet there's a lot of them.

Second is to enumerate all countries that a) mess with their internet too much and b) also have a history of running relays that make people uncomfortable. Typically the relays happen in these countries because we have lots of users in the country and a few of them click 'help the world' in their Vidalia sharing window.

Syria and Iran come to mind. And China and Saudi Arabia after that.

Child Tickets

Change History (25)

comment:1 in reply to:  description ; Changed 6 years ago by rransom

Replying to arma:

Now that #4207 is in 0.2.3, we should set some default values for AuthDirBadExitCC.

Only dirauths that already vote on BadExit should set that option. Default values might be appropriate for the flag-relays-in-country-as-Invalid option, if there are a few countries which we consider too dangerous for any user in any country to ever connect to.

comment:2 Changed 6 years ago by arma

And Vietnam after those.

Except I notice torservers.net has an exit relay in Vietnam! Woah.

Looking at the Iran and Syria relays in the tor status list... I wonder if we might want to set AuthDirRejectCC on those instead. The downside is that we don't get to use those relays for exit testing. The upside is that somebody else looking at the tor status list doesn't get an easy enumeration of people in those countries who like Tor yet didn't understand quite what they were signing up for.

comment:3 in reply to:  1 ; Changed 6 years ago by arma

Replying to rransom:

Replying to arma:

Now that #4207 is in 0.2.3, we should set some default values for AuthDirBadExitCC.

Only dirauths that already vote on BadExit should set that option. Default values might be appropriate for the flag-relays-in-country-as-Invalid option, if there are a few countries which we consider too dangerous for any user in any country to ever connect to.

Why should only dirauths that vote on BadExit set the option? Is there some technical problem that happens if a different dirauth sets this option?

comment:4 in reply to:  3 ; Changed 6 years ago by rransom

Replying to arma:

Replying to rransom:

Replying to arma:

Now that #4207 is in 0.2.3, we should set some default values for AuthDirBadExitCC.

Only dirauths that already vote on BadExit should set that option. Default values might be appropriate for the flag-relays-in-country-as-Invalid option, if there are a few countries which we consider too dangerous for any user in any country to ever connect to.

Why should only dirauths that vote on BadExit set the option? Is there some technical problem that happens if a different dirauth sets this option?

At best, it would have no effect on those dirauths. At worst, it would make them start voting on the BadExit flag, and against BadExiting all relays not in the specified countries. (I should go RTFS.)

comment:5 in reply to:  4 Changed 6 years ago by rransom

Replying to rransom:

Replying to arma:

Why should only dirauths that vote on BadExit set the option? Is there some technical problem that happens if a different dirauth sets this option?

At best, it would have no effect on those dirauths. At worst, it would make them start voting on the BadExit flag, and against BadExiting all relays not in the specified countries. (I should go RTFS.)

authdir_policy_badexit_address's result eventually finds its way into node->is_bad_exit, but only gets into the consensus if the dirauth is configured to vote on BadExit:

  int listbadexits = options->AuthDirListBadExits;
  rs->is_bad_exit = listbadexits && node->is_bad_exit;

So, it would have no effect on those dirauths.

I agree with rejecting (instead of BadExiting) relays in countries in which it is likely dangerous to be identified as a Tor user.

comment:6 Changed 6 years ago by phobos

I don't understand. We're going to censor access to exit relays because of some fears of governments messing with traffic after the exit relay? Might as well just shutdown all of the exit relays then. Chinese users worry about US and EU relays. US and EU users worry about non-US and non-EU exit relays. Most of Europe censors their Internet to avoid child abuse materials and copyright violations. And what's to stop some censored country from just setting relays in a non-censored country?

comment:7 Changed 6 years ago by arma

Summary: badexiting certain bad countries by defaultbadexiting (or rejecting) relays from certain bad countries by default

comment:8 Changed 6 years ago by nickm

Milestone: Tor: unspecified

Somebody ought to invite all the directory authority ops to participate on this ticket, imo. They aren't all following the bugtracker.

comment:9 Changed 6 years ago by arma

Ok. Now that I am less ill, let me try to organize my thoughts here. There are three angles to look at here.

A) We could badexit relays in certain countries that censor the Internet "more than usual", so a Tor user doesn't end up failing to reach bbc just because she pops out of Vietnam. This idea is flawed because it assumes there is one "real" Internet yet in reality basically every place censors in one way or another. Just as we don't try to fight Google's geolocation to decide what language you get, we shouldn't badexit all of Australia just because they don't want me to learn about abortions.

B) We could badexit relays in certain countries that we know are logging citizens' traffic "more than usual". The original motivation here was Syria, since we see they have logs of what their citizens do online, and they secure them poorly. But as of 2009 Sweden has logs of their cross-border traffic via their FRA law. And I can't even enumerate the list of European countries that have deployed traffic header data retention -- and no doubt many of them secure their data sets poorly too.

C) We could outright reject relays from countries where a) we have no useful relays and b) we have lots of users and some of them seem to be unwisely clicking 'share'. Syria and Iran are the big examples here. A major downside to preemptively rejecting these relays is that we'd be turning down the possibility of having a good relay in these countries if one should appear. Another major downside is that we're taking the decision away from the people -- in plenty of other situations we say "I assume you know more about what's going on your country than we do." A more minor downside is that we wouldn't be able to track popularity as easily. A major upside is that these users wouldn't be unknowingly putting themselves in a list. Another major upside is that we'd stop freaking out users ("omg there's a relay in Syria it must be run by the government").

I think "A" and "B" are unwinnable, but I would be interested to see somebody try the "it's a question of degrees" argument.

I think there's a strong argument for trying to do "C" in Vidalia instead, by looking at the IP address Tor thinks it's using and having another "are you sure?" layer to becoming a relay. Though that said, if we wanted to do it in Vidalia maybe we should have thought of that before giving everybody the software.

comment:10 in reply to:  9 ; Changed 6 years ago by rransom

Replying to arma:

C) We could outright reject relays from countries where a) we have no useful relays and b) we have lots of users and some of them seem to be unwisely clicking 'share'. Syria and Iran are the big examples here. A major downside to preemptively rejecting these relays is that we'd be turning down the possibility of having a good relay in these countries if one should appear. Another major downside is that we're taking the decision away from the people -- in plenty of other situations we say "I assume you know more about what's going on your country than we do." A more minor downside is that we wouldn't be able to track popularity as easily. A major upside is that these users wouldn't be unknowingly putting themselves in a list. Another major upside is that we'd stop freaking out users ("omg there's a relay in Syria it must be run by the government").

I think there's a strong argument for trying to do "C" in Vidalia instead, by looking at the IP address Tor thinks it's using and having another "are you sure?" layer to becoming a relay. Though that said, if we wanted to do it in Vidalia maybe we should have thought of that before giving everybody the software.

The copy of Vidalia shipped in TBB should not support configuring the copy of Tor shipped in TBB to run as a relay.

comment:11 Changed 6 years ago by Sebastian

Another point is that geoip is pretty flawed, and we put the decision who can/can't be a relay into maxmind's hand. I think the whole feature is probably not useful, and having it on by default additionally gives a bad impression

comment:12 in reply to:  10 Changed 6 years ago by arma

Replying to rransom:

Replying to arma:

I think there's a strong argument for trying to do "C" in Vidalia instead, by looking at the IP address Tor thinks it's using and having another "are you sure?" layer to becoming a relay. Though that said, if we wanted to do it in Vidalia maybe we should have thought of that before giving everybody the software.

The copy of Vidalia shipped in TBB should not support configuring the copy of Tor shipped in TBB to run as a relay.

That would make me pretty sad. It may be the case that many users of TBB wouldn't make good relays, but that doesn't mean we should preemptively prevent all of them from even trying.

I guess the main "feature" of this approach is that we don't sucker users into running a relay when the network would probably choose to ignore it anyway?

comment:13 in reply to:  11 Changed 6 years ago by arma

Replying to Sebastian:

Another point is that geoip is pretty flawed, and we put the decision who can/can't be a relay into maxmind's hand. I think the whole feature is probably not useful, and having it on by default additionally gives a bad impression

I think that's a strong argument for setting badexit rather than rejecting -- so if somebody in Germany sets up a relay and wonders why it isn't working, it's easier to realize "oh hey, Maxmind thinks you're in Iran".

Let me turn the question around: if we learned that a given relay was logging all traffic that its users generate, and putting those logs up on its website, would we badexit that relay? I think we would. And that's what Syria is doing.

comment:14 Changed 6 years ago by arma

tor26 and moria1 have now both configured

AuthDirBadExitCC sy,ir

So it isn't the default in the code, but it is the fact in the network.

comment:15 Changed 6 years ago by Sebastian

Yup, as decided by a minority of dirauth operators of one and a half (not counting weasel as a full dirauth op here, as he made the decision in less than 40 seconds). I am tempted to enable voting on the badexit flag on gabelmoo, because I do *NOT* think badexiting entire countries is a sane thing to do, and because I totally disagree with the process how this important operational decision in the network was handled. This is not how we should be doing things as dirauth ops

comment:16 Changed 6 years ago by Sebastian

Hrm, I have to correct myself, apparently weasel did discuss it before just applying the config. So it's two dirauth ops. Still not even close to a majority

comment:17 Changed 6 years ago by ioerror

Whoa - color me shocked!

I'm willing to bet that this is the _wrong_ way to do things - I really think that this is why we need to implement my suggestion on geoip aware circuit building.

If I'm in Syria, I want to never use a Syrian exit for a non-Syrian site.
If I'm in Iran, I want to never use an Iranian exit for a non-Iranian site.
If I'm in the US, I want to never use an American exit for a non-American site.

However, I'm pretty certain that if I am going to Twitter, located in the US, from a connection in the US, i don't care if I use a US exit or a foreign exit - either way, the US may see a lot of my circuit. So if anything, I want all of my circuits isolated by my actual choices in destinations, keeping in mind my general location.

I want to be able to exit into Syria from Syria or Iran if I am not in those countries - they're not bad nodes simply because they're in Syria or Iran. In fact, I bet that exiting from Syria for visiting a site in Iran is quite reasonable when I am in neither country.

I really really think this belongs in a more well thought out circuit building algorithm on the client side; badexit is a blunt instrument and this makes us look like tools of the US government's bullshit and ill thought out internet policy talking points.

comment:18 Changed 6 years ago by arma

Cc: mikeperry added

comment:19 Changed 6 years ago by ln5

Cc: ln5 added

comment:20 Changed 6 years ago by mikeperry

My take on this is that what we're actually doing is preventing people who accidentally click to be an exit in Vidalia without understanding what it means from getting themselves into trouble.

But at the same time how we trust the GeoIP database updates will be a huge issue for us going forward.

For this reason, I think we should limit this feature to extreme cases, and it should only be used to BadExit, not fully de-list. Being a regular relay might actually help against traffic analysis, and if it works, we shouldn't prevent it.

I think ioerror's points about geographically-aware circuit+exit selection are an orthogonal issue (and a pretty hard one at that).

comment:21 Changed 6 years ago by nickm

I think that there is a level of bad-ISP quality that should be sufficient to BadExit all nodes at that ISP. For instance, if an ISP routinely MITM'd all the traffic leaving it, and you couldn't turn it off, and we couldn't work around it, that would seem like sufficient reason to badexit the ISP to me. I don't see a reason to take a different position about nations that go into the shitty-ISP business.

That said, we must be clear that this is only something we do in response to bad network behaviors, not to other judgments about countries.

To be clear, I don't have the information about which countries have risen to the level of "You can't run a good exit there even if you want to."

More discussion and wider discussion is always warranted. If you agree with badexiting syria and iran, it might be smart to think about what it would take for us to BadExit {us} or {de}. If you don't agree with badexiting syria or iran, you might want to ask yourself whether there's *anything* that an ISP or a country could to its network that would make using all exits there a bad idea. Like, MITMing ssl certs? Malware injection?

(With my solve-all-problems-through-tech hat on: I think it's not a bad thing to have directory authorities disagree with each other. I really want to implement the proposals in 0.2.4 that would allow authorities to vote on specific instances of flags without having to take a stand on every router having that flag.)

comment:22 Changed 5 years ago by nickm

Keywords: tor-auth added

comment:23 Changed 5 years ago by nickm

Component: Tor Directory AuthorityTor

comment:24 Changed 4 years ago by arma

I'm inclined to close, since the conclusion seems to be that directory authorities are welcome to do it, but we're not going to set it as the default in the code?

comment:25 Changed 3 years ago by Sebastian

Resolution: wontfix
Status: newclosed

I agree.

Note: See TracTickets for help on using tickets.