distributed trust

The Tor network is run by volunteers, and for the most part is entirely independent of the software development effort led by The Tor Project, Inc. While The Tor Project, Inc is a 501(c)3 non-profit that is happy to take donations to create more and better software, up until recently there was no way for you to fund deployment of more relays to improve network capacity and performance, aside from running those relays yourself.

We're happy to announce that both Noisebridge and TorServers.net are now able to take donations directly for the purpose of running high capacity Tor exit nodes.

Noisebridge is a US 501(c)3 non-profit, which means that for US citizens, donations are tax deductible. Torservers.net is a German non-profit organization whose donations are tax deductible for German citizens (and also potentially for citizens of other EU member states).

What are the pluses and minuses of donating as opposed to running your own relay? Glad you asked!

While it is relatively easy and risk-free to run a middle relay or a bridge, running an exit can be tough. You have to seek out a friendly ISP, explain Tor to them, and then navigate a laundry list of Internet bureaucracies to ensure that when abuse happens, the burden of answering complaints falls upon you and not your ISP.

These barriers are all made easier the larger your budget is. On top of this, like most things, bandwidth is cheaper in bulk. But not just Costco cheaper: exponential-growth cheaper, all the way up into the gigabit range (and perhaps beyond, but no one has run a Tor node on anything faster).

At these scales, large exit nodes can pay as little as $1/mo per dedicated megabit/second. Sometimes less. This means that adding $30/mo to the hosting budget of a large exit node can buy almost 40 times more full-duplex dedicated bandwidth than a similarly priced business upgrade to your home ADSL line would buy, and about 50 times more bandwidth than Amazon EC2 instances at the entry-level price of $0.08 per half-duplex gigabyte, not counting CPU costs. (Bridge economics in terms of IP address space availability might still favor Amazon EC2, but that is a different discussion).

The downside to donation is that network centralization can lead to a more fragile and a more observable network. If these nodes fail, the network will definitely feel the performance loss. In terms of observability, fewer nodes also means that fewer points of surveillance are required to deanonymize users (though some argue that more users will make such surveillance less reliable, no one has yet rigorously quantified that result against actual attacks).

Therefore, if you are able to run a high capacity relay or exit yourself (or have access to cheap/free/unused bandwidth at your work/school), running your own relay is definitely preferred. If you are part of the Tor community and want to accept donations, we'd love to add you to our recommended donor list. Please join us on the tor-relays mailing list to discuss node configuration and setup.

However, if configuring and maintaining a high capacity relay is not for you, donating a portion of the monthly hosting budgets of either of these organizations is an excellent way to support anonymity, privacy, and censorship circumvention for very large numbers of people.

Updated 06/30/2010: Mention Reduced Exit Policy, ISP Shopping Tips, and Abuse Response Templates

Updated 08/30/2010: Update exit policy with svn, git, hg, Kerberos, remote admin panels, IRC, others

Updated 01/12/2011: Suggest creation of LLC for large exit nodes, provide links to ARIN forms and process.

Updated 02/25/2015: Torservers.net abuse templates URL has changed.

I have noticed that a lot of new exit nodes have recently appeared on the network. This is great news, since exit nodes are typically on the scarce side. Exits usually occupy 30-33% of network by capacity, but are currently at a whopping 38.5% (156 MBytes/sec out of 404 total).

However, I want to make sure that these nodes stay up and don't end up being shut down due to easily preventable abuse complaints. I've run a number of exit nodes on a few different ISPs and not only have I lived to tell about it, I've have not had one shut down yet. Moreover, I've only received about 4 abuse complaints in as many years of running exit nodes. This is in stark contrast to other node operators following a more reactive strategy. I'm convinced this is largely because I observe the following pro-active guidelines. This guide is primarily US centric. Operators in other countries may have slightly different best practices (such as registering with RIPE and not ARIN). read more »

At Libreplanet 2010, I was in a discussion with the MonkeySphere and EFF folks about how to encourage every website to offer ssl by default. The general idea is to stop local traffic snooping and provide more security by default. During the discussion, it came up that I disable all of the Certificate Authorities in my systems and selectively trust the ssl certificates from individual websites. I've been doing this for years. Apparently my admission was a shocking statement to many. The group asked me to document my Firefox setup and what life is like without any trusted CAs. Seth from the EFF has a quick post about possible concerns over the CAs in your browser. read more »

We've always argued that safe circumvention requires anonymity, even from the circumvention service itself. There are many people wanting to record your Internet traffic and browsing patterns; from governments to commercial advertising networks. There are many ways to defeat the threat of traffic analysis; from simple proxy providers, virtual private networks, and distributed peer to peer solutions. Only some of these offer anonymity along with circumvention. Tor's open design and anonymity properties provide protections for the user from those watching the traffic and from us as an organization.

Our architecture and design don't force the user to assume trust in us. Our code is accessible and licensed under an open license. Our specifications are clearly detailed and published. Our packages follow a defined build process so the user can create the same binaries we do. Independent researchers can and do test the properties Tor provides [and help us to improve]. Moreover, The Tor software runs on a distributed network, where a single operator cannot capture or be forced to capture all users' traffic information, even under legal or coercive threat.

All of these should allow the user to trust The Tor Project as a not-for-profit company and to trust that Tor isn't surreptitiously watching the very information you're trying to protect and isn't gathering information we could be forced to disclose.

We're always willing to work with other organizations who understand that anonymity provides stronger circumvention protections than the alternatives.