Move facilitator to a neutral dedicated domain

Regardless of #7159 (closed) one (I don't know who) may decides that torproject.org is a good place for the Flashproxy to exist.

I know this defaults to "dcf", but it should not.

Pro:

• torproject.org is trusted
• the infrastructure is known by core Tor people
• flashproxy.torproject.org could point to another server and don't put more load on the current infrastructure

Con:

• It would look like the Tor Project Inc. would be maintaining the flashproxy

added component::archived/flashproxy flashproxy owner::dcf parent::7166 priority::high resolution::fixed status::closed type::task labels

#7166 (closed) has this:

• Deploy a Tor Project-operated facilitator, so that people can stop worrying what bamsoftware.com is and why the flash proxy JavaScript connects to it (#7159 (closed)). The facilitator doesn't need to be a super-trusted entity, we can have more than one in order to diffuse trust. David wouldn't mind running the facilitator running on a torproject.org machine.

weasel, can you provision a machine for running the facilitator at torproject.org? This is the document that describes how I intend to set it up: https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/doc/facilitator-howto.txt

We shouldn't rush into this. We as Tor the non-profit cannot run any parts of the Tor network, from bridges to relays, or according to smart lawyers, we cross a line between a volunteer tor network and assuming liability for all of the tor network. I need to understand what the facilitator does in detail and its role overall before we can setup a machine and run it in the torproject.org domain.

My high-level understanding of the facilitator is that it is analogous to the role of bridgeDB.

Trac:
Cc: bastik to bastik, phobos

Trac:
Component: Flashproxy to Tor Sysadmin Team

Replying to phobos:

We shouldn't rush into this. We as Tor the non-profit cannot run any parts of the Tor network, from bridges to relays, or according to smart lawyers, we cross a line between a volunteer tor network and assuming liability for all of the tor network. I need to understand what the facilitator does in detail and its role overall before we can setup a machine and run it in the torproject.org domain.

I can appreciate that. The motivation for moving the facilitator to another domain is to reduce the WTF some people feel when they see connections to tor-facilitator.bamsoftware.com. A possible alternative is for me to register a completely new domain, one not associated with my other domains nor those of the Tor Project.

My high-level understanding of the facilitator is that it is analogous to the role of bridgeDB.

It is analogous to bridgeDB, but does the opposite: rather than store bridge addresses to give to clients, it stores client addresses to give to bridges (flash proxies).

The facilitator runs the programs:

• https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/facilitator/facilitator
• https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/facilitator/facilitator-email-poller
• https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/facilitator/facilitator.cgi
• https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/flashproxy-client flashproxy-client listens on ports 9000 and 9999. It's only for demonstration purposes and could be completely removed. facilitator.cgi listens via Apache on port 443. The other programs don't open any Internet-exposed listening sockets.

There is some secret key material stored on the facilitator. The Apache certificate key, and a private key associated with the email registration method (#6383 (closed)). There will likely be another private key associated with a URL-based registration method (#7559 (closed)).

The Apache logs are completely disabled (go to /dev/null). The facilitator logs the time when proxies and clients connect, and when a client is served to a proxy, but does not log any IP addresses.

Here I reply to a question weasel asks in email:

Maybe you could describe /what/ you need instead of how you would set that up in a few short sentences somewhere?

I don't need root. I need an Apache configuration, and CGI execution for facilitator.cgi. I will probably need to make changes to the CGI from time to time. I need permission to run and restart the facilitator and facilitator-email-poller programs. There needs to be a place storing the private keys that the user running these daemons can read but others can't.

But maybe a better solution overall is just to register a new unrelated domain.

My plan is to register a new domain name just about flash proxy, and not related to bamsoftware or the Tor Project.

Trac:
Summary: Decide if Flashproxy can move to torproject.org to Move facilitator to a neutral dedicated domain
Parent: N/A to #7166 (closed)

Trac:
Component: Tor Sysadmin Team to Flashproxy
Status: new to assigned

Trac:
Priority: normal to major

Trac:
Keywords: N/A deleted, flashproxy added

I am thinking of fp-facilitator.org. flashproxy.* are already registered. flash-proxy.* is available, but likely to be confused with the taken flashproxy.*.

why restrict to just US domains? flashproxy.is and others are available

I bought fp-facilitator.org and a cert for it. The client programs are changed to use the new name. tor-facilitator.bamsoftware.com will continue to work, but will be undocumented.

Trac:
Resolution: N/A to fixed
Status: assigned to closed

closed