Turning funding into more exit relays

by arma | July 24, 2012

For a few years now, funders have been asking if they can pay Tor to run more relays. I kept telling them their money was better spent on code and design improvements:
https://blog.torproject.org/blog/why-tor-is-slow
https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/Performa…
since a) network load would just grow to fill whatever new capacity we have, especially if we don't deal with the tiny fraction of users who do bulk downloads, and b) reducing diversity of relay operator control can harm anonymity.

But lately the Tor network has become noticeably faster, and I think it has a lot to do with the growing amount of excess relay capacity relative to network load:
https://metrics.torproject.org/network.html?graph=bandwidth&start=2010-…

At the same time, much of our performance improvement comes from better load balancing -- that is, concentrating traffic on the relays that can handle it better. The result though is a direct tradeoff with relay diversity: on today's network, clients choose one of the fastest 5 exit relays around 25-30% of the time, and 80% of their choices come from a pool of 40-50 relays.
https://trac.torproject.org/projects/tor/ticket/6443

Since extra capacity is clearly good for performance, and since we're not doing particularly well at diversity with the current approach, we're going to try an experiment: we'll connect funding to exit relay operators so they can run bigger and/or better exit relays.

If we do it right (make more faster exit relays that aren't the current biggest ones, so there are more to choose from), we will improve the network's diversity as well as being able to handle more users.

We've lined up our first funder (BBG, aka http://www.voanews.com/), and they're excited to have us start as soon as we can. They want to sponsor 125+ fast exits.

I've started a discussion on the tor-relays list about open questions that we as a community will need to decide about:
1) What exactly would we pay for?
2) Should we fund existing relays or new ones?
4) What exactly do we mean by diversity?
5) How much "should" an exit relay cost?
6) How exactly should we choose which exit relay operators to reimburse?
7) How do we audit / track the sponsored relays?
8) Legal questions?

The first step is collecting facts about the current fast Tor exit relays. Please join the discussion on the tor-relays list if you want to contribute:
https://lists.torproject.org/pipermail/tor-relays/2012-July/001433.html

Comments

Please note that the comment area below has been archived.

July 24, 2012

Permalink

I think the focus should be on funding new exit relays instead of existing ones, but the problem with this is simply..who would run them? What we do not want is more data mining exit nodes. We need legitimate exit nodes that are unmonitored. Back to the original problem...maybe there is a way to do this as a community. I fear that if any one entity were to have control then they would eventually submit to corruption.

July 25, 2012

Permalink

Once "big business" gets it tentacles in it will be all over for Tor. What next - monitored "pay-per-use" nodes. Big business cannot be trusted. Period.

July 25, 2012

Permalink

Suggestions: Ditch Firefox from the TBB and use Google Chrome instead; have Google run just ONE exit-node. Simplify the network to ONE hop - Browser to Google.Anon.Privacy+.ExitNode. There you have it - speed and anonymity in one simple solution, or is there a flaw in this implementation?

You forget the irony tags. One hop is speed but not anonymity.
You have even more speed if you just purge the fig leaf of the one hop.
One hop is the wet dream of those who want to monitor the internet
and to whom Tor anonymity in its present form is an irritation.

Datamining, and alleged NSA buddy, Google as an exit node would
certainly make surveillance work easier. It is just so inconvenient
to install and run inconspicuous monitoring exit nodes.

Yes, 1) Google Chrome's addon system does not allow for Tor-like functionality and 2) one proxy isn't good enough, as that proxy will know both you and your destination. The point of tor is to make it so no one, including the proxy, can connect in the incoming/outgoing traffic and the person doing the requesting.

Clearly this is not the intention since smaller exit nodes shall be funded not the already big ones. This is the direct opposite of what you describe. Maybe you should read the post again and pay extra attention to everything diversity.

I guess that the words 'money' and 'company' really raise red flags for some people here. And that's a good thing. But as long as you can't build servers out of cardboard and pay for their internet connections with good intentions, even a non-profit project like Tor needs to talk to companies about money every once a while.

July 25, 2012

Permalink

I would think Non-Profit institutions (Universities, Foundations, etc) would be the most receptive to running Exit Relays, regardless of being reimbursed for the cost, if they were made to understand the benefits to freedom of speech and press. They also would provide good geographic diversity.

Agreed in theory.

In practice, many university networks are controlled by their network admins, who are paid to say no unless given a reason to say yes. The result is that a few universities run exits, and the rest are too scared / don't care enough.

Foundations are even worse -- they typically have crappy network connections and zero technical people.

So yes, good idea in theory. :) I'm continuing to push on my university contacts.

July 26, 2012

Permalink

Hi, I love tor and i'm glad it exists! Good work!

I'm wondering if there is a secure way to play Adobe Flash in tor? It gives me a warning when i go to download it from adobe... is there a Tor Specific player?

Thank you

July 30, 2012

In reply to arma

Permalink

Awwwww... Well, i guess you have to trade off some things...

Still excellent software!

Thanks for the tip about HTML5

Jonathan

If you know how to use snapshotting for virtual machines, TorBOX is the answer. You could easily install flash + snapshot it. After using it, simply turn back to the clean one.

July 26, 2012

Permalink

I ran a TOR exit node for a while, but then my ip address started to get blacklisted on many, many major sites, so I had to stop and change internet providers to get a new ip address (as my existing provider refused to issue a new one).

More people would run exit nodes if there weren't so much traffic running through them that causes web sites to blacklist you. Perhaps better policy filtering on the *entry* nodes is necessary?

Filtering on the entry nodes implies having the entry nodes know what you're doing. That violates the "distributed trust" goal where we design things so that no single relay gets to learn both where you are and where you're going. So unless you've got a really cool crypto trick that's also practical, it seems like a non-starter.

July 27, 2012

Permalink

>If you're just missing your youtube, you might like their html5 version of their videos instead.

It seems that only some of the videos on YouTube are available in HTML5 format. Is there some way of filtering YouTube search results accordingly?

Thanks for the reply.

I can't find any advanced search option on YouTube.

"Or you could just add "&webm=1" to the end of the URL."

Which URL?

Adding something to the URL for each search result returned basically defeats my purpose; I want to filter the search results so that only videos that support HTML5 are returned.

July 27, 2012

Permalink

Pay someone who answers all abuse complaints for Tor funded exit nodes in a timely manner. The individual running an exit node would be the technical contact and all complaints would be handled by the sole abuse contact. This would take some burden from the operators and the answers to complaints would be consistent.

This person could also answer inquiries about Tor in a professional manner fostering public relations.

I would say exit nodes would pop up like mushrooms if you pay people to operate maybe ten to twenty exit nodes and pay an equivalent of what they could earn in a small part time job, adding to their living.

July 27, 2012

Permalink

I say that there's actually 100s of MB of exit node bandwidth unutilized because of the Zeno's paradoxes Achilles and the tortoise implementing traffic management algorithm that favors bandwidth whore exit nodes ;)

July 27, 2012

Permalink

Hi.

I want to set up a relay (Tor-to-Tor one, not a exit).
But I can't do this because MANY websites will expose my global IP.

I can't understand why all Tor node SHOULD expose global IP.
If a global IP will hide on a Tor Map and Statical Websites, maybe I'll start setup a Tor server :)

I want to hide my IP, if a relay type is "Tor-to-Tor Relay".

July 28, 2012

Permalink

You know what would really speed up TOR? Getting rid of 50% or more of the users who're only on there to look at and download child porn and other disgusting content. I'm baffled by all the .onion child porn content that I've stumbled upon. I feel TOR should only be used for legitimate reasons, not for criminal purposes as it's mostly being used for!

If TOR didn't have such a bad reputation for being pedo/criminal friendly more people would TOR, and the exit relays would grow rapidly!

Actually, I think most of the bandwidth is used by file-sharers. Check out Rob's new paper, "Throttling Tor Bandwidth Parasites":
http://freehaven.net/anonbib/#throttling-sec12

As for the reputation thing, Tor seems to have widely varying reputations depending on the community. There are millions of people in Egypt / Iran who have a very different impression than, say, people who read Boston Globe every morning. I agree that we should be doing a better job (in our copious free time) of teaching the world how Internet security and Internet crime works -- and how removing Tor from the picture wouldn't solve the problem.

August 01, 2012

In reply to arma

Permalink

"Check out Rob's new paper, "Throttling Tor Bandwidth Parasites":
http://freehaven.net/anonbib/#throttling-sec12"

I just went to this URL with TBB. When I clicked on "Save link as", a warning popped-up about an "external application" needed.

This has happened intermittently with TBB -- going back at least a few years now.

This is a Firefox issue, where it's hard to hook Firefox at the right place to learn whether it's going to call out to an external application or just save the file.

The right thing to do is click "ok", and then choose save.

(I recognize that the interface is crappy.)

August 05, 2012

In reply to arma

Permalink

Thank you for replying.

I suggest that this info be added to the official Tor documentation, including the FAQ.

"that I've stumbled upon" - yeah, sure.

There are people who would visit Paris only to wander around the back alleys at night.
Afterwards they complain about the prevalent crime scene.

July 29, 2012

Permalink

No Way
When You Use Adobe flash you will lose you anonymity. You can look for modern websites there are uses "html5" that's the alternative.

July 30, 2012

Permalink

But what's the deal with VOA? Isn't that questionable considering VOA's military public diplomacy functions?

They want people in certain parts of the world to have access to the Internet as we know it.

As long as we don't lose track of the big picture (for example, our goals are Internet freedom for everybody, not just a certain set of countries), I think we'll do fine. Remembering that anonymity systems work best when everybody has access to them should be a good first step.

July 31, 2012

In reply to arma

Permalink

Well, I understand that, but I'm wondering if VOA would somehow have direct access (read surveillance) of the network by funding same? I believe a similar controversy exists in the security communities regarding other anonymizing software such as Ultrasurf, whom is also in part (if memory serves me) funded by VOA.

No, we want to set it up in a way that we don't have any access to the relays. And certainly VOA wouldn't. That's why we're putting this effort into understanding diversity metrics, and making sure to keep the network distributed.

July 31, 2012

Permalink

I can imagine some volunteer relay operators leaving if others are getting sponsored / payed by the Tor organization itself. It seems some relay operators are idealists, hoping to work on a "better" internet.

If "Tor" has "too" much money, why not spend it on e.g. Tails, the Tor Live CD project?

If fortunate sponsors want to spend money on relays, what is keeping them from renting a relay in a datacenter themselves?

Currently Tor is fast enough to exchange sensitive "low volume" data (e.g. documents, photos). It seems too slow for profitable "high volume" file exchange (e.g. video). I fear when massive amounts of bandwidth becomes available, the "misuse" of Tor will be unavoidable. Let's argue for example Tor might become a great "cyberwar" tool between country X and Y? It will be the perfect excuse to make Tor illegal in - say - the USA / Europe. Currently Tor seems to be ignored by the "anti piracy" organizations, it takes way too long to download a pirated blockbuster DVD.

August 01, 2012

Permalink

"especially if we don't deal with the tiny fraction of users who do bulk downloads"

Is that really only a "tiny fraction"?

Studies like this aren't common, because of the ethical / legal questions around tracking Tor usage safely.

But I believe it is a tiny fraction of users, yes, but they produce well more than their fair share of load on the network.

August 03, 2012

Permalink

Instead of google chrome, why not try SRWare Iron? It uses chromium source just like google but with out all the bugs and trackers google uses. Just a though considering that a lot of people are asking about google chrome

August 24, 2012

Permalink

"a) network load would just grow to fill whatever new capacity we have, especially if we don't deal with the tiny fraction of users who do bulk downloads, and b) reducing diversity of relay operator control can harm anonymity."

This is exactly right. You can stop the discussion there.

But lets go on. Tor user for 10 years or so. I remember when the network was very slow indeed. It has sped up. Great. Now that it is usable, the primary requirement of anonymity and privacy needs to continue to be focused on.

My basic point is the torproject should focus on 1) improving the code versus the numerous published attacks. 2) Improving the code relative to application level anonymity. 3) running the dir servers in a way that is transparent and clear that it is not some spy net.

I don't agree with the torproject getting involved in running relays. It needs to be continued to be setup in a way that we don't really need to trust the torproject, beyond the tor code, which we can inspect.

Running relays does not seem relevent to improving the code against the numerous attacks and ease of use for primary use cases.

It is clear that the idea here is tor is for people in iran and china. That is ridiculous. It is for people in the US. It is clear funding coming from us democratic and partisan sources is influencing development. If you ask voa to fund 150 nodes, I would like to see Putin put up 150 nodes. Which is the way it may work in the end? Does the military really use this? Or do they rely on encrypted direct satalite communications?

It seems to me the main issues really affecting your privacy (at this point in tor's development), are most habit related. Posting personal information, etc. What is happening is the adversaries are just getting physical with it when they can't censor via the isp's. Tor is an important part of the the personal freedom equation.

The censorship is a big reason to use tor. I heard about someone who was connecting to some server, and the local government (or someone) started dropping their packets. So they used tor. Then the government would watch the connection, and shut off the power to the neighborhood periodically. Or all the nearby wifi points would mysteriously stop working. First they steal your laptop battery...and there is only one store in Nirobi to buy another laptop...

Other jurisdictions planting drugs in activists houses.

It is absolutely mind-boggling the extent to which (most) people will listen to whatever someone in a uniform says...the holocaust being a prime example...but the US has its share of examples. Including screwing with your internet connection.

If they aren't able to really track the traffic (as global passive adversary) they switch to psychological manipuation, and continue to censor you out of fear.

They enter your house when you are not there, and leave something out of place near your computer...stuff like that. So you spend the next 3 days reinstalling your OS and NOT posting about the corruption or what you were trying to do.

You end up spending all this time and resources on increasing your computer security measures, installing firewalls, installing video camera surveillance systems, (if they haven't drained your bank account by this point) when you could be out there talking to people about what is going on. That you STILL have effectively been censored.

This is common for journalists, whistle-blowers, and civil rights activists.

And I am talking about the US too. They feel it is OK to do whatever is necessary to get your information. Guantanamo Bay being a prime example. They just don't give a fuck.

My concern is also with the quality of the exit (and entrance) relays. It takes one government hacker x amount of time to write some script that can compromise k misconfigured or outdated relays. Where it takes k individuals n amount of time (plus k*n dollars) to add k more (probably misconfigured) relays. The hacker wins.

Based on the PUBLISHED assesment of adding compromised relays to the network, it is feasible that an agency could just add another compromized node whenever an un-compromized node is added. This means that if you are using tor, under the current routing algorithms, it is possibly MORE likely for a high level adversary to determine where you are then if you are not using tor. Or am I missing something?

You may say that the hacker needs a million dollar super computer to analyze the data, but realistically, if he controls an entrance node and your isp, and is attacking a particular target, connecting to a particular server, the domain is much smaller. This sounds like a fringe case, but a particular target connection to a particular server is exactly what most activists and whistleblowers are trying to do. And all most adversaries are trying to do is see if you made that ONE post or ONE email.

In order to balance the equation, you need a standard relay os image, (such as tor running in an open bsd chroot (or whatever experts say would be the most secure configuration) that can be just pluged in and deployed, and has a standard hash so the relay operator can be certain that it has not been modified. Relays are potential hack targets to intelligence agencies, which probably have more resources and technical know-how available then the average relay operator. The vidalia exit relay bundles are not useful for high band width servers which often don't have a graphical interface. OR the package maintainers need to consider installing the package by default in a chroot, and sysadmins that have extra bandwidth might consider running a relay. Is there research into self-verifying systems?

My opinion of what the tor project should focus on:

  1. Code improvements, and anonymity over performance. Is there a way to add an optional mix or packet spoofing?
  2. Application level enforcement. Tor browser is in this direction (more so then torbutton) but is really a one-off from the more complicated https "sanitizer" model which in the long run is bigger and uglier, but more maintainable, and reusable. i.e. privoxy model https/socks intercept with adaptors for each application. Is it possible to register a CA with a browser to allow an intermidiary to validate SSL certs? Keeping all components modular. I am sure this situation has been studied in depth by torproject, but my feeling is that you are giving people half ass solutions and hiding behind the "we told you it was experimental software" line.
  3. Standard relay bundels for security. If I am running a server that has extra bandwidth, I might consider running a relay if I knew it was secure (i.e. default chroot scripts for relay packages, or hardening). The idea I mentioned of a Tor OS that can some how compute a hash of itself (np complete problem?) IE rather than more relays, relay verification algorithms.
  4. Fine-tuning routing algorithms--we know there are problems here with the statistics you are mentioning.
  5. Post an expert assessment on the use case scenarios and how and whether tor should be used. For instance, if people are hunting you down and they are at the ISP too and you are in a rual region without may tor users, and they detect your using tor, they can actually follow you around EASIER. In some countries all the traffic leaves through one gate way...it is not so hard to watch for tor connections and determine the origionating ip--yet much harder then a vpn. And I realize the bridges are useful for this.

For example, have a site that says

  • If you are running an ongoing criminal enterprise, should you be using tor?.
  • If you are worried about censorship, then this is how you should use tor.
  • If you are a fugative and people are after you, do this.
  • If a government with large techno capability is after you, etc.
  • If you are a russian spy in iran, should you be using tor or gmail?
  • If you are worried about corporate ad tracking, etc.
  • Which use cases is it better to run tor through a VPN?
  • I don't want them to know where I am versus I don't want them to know what I am doing. Different use cases, and different ways to use (or not use) tor.

There was the recent hacker that got busted by chatting online over tor with an fbi informant. They watched his connection at his house and would verify the connection would go on and off when we went downtown.

You need to analyze what are the different use cases. TAILS only covers one use case.

People are AFRAID of liberty. If they weren't afraid, windows would come with a tor like thing built in, and all laptops would ship will full disk encryption and have a smart card attached. Governments define criminals based on the interests of the government. Democracies run by corporate interests define criminals based on what affects corporate profits. Hence, 90% of "criminals" are really political targets, targets of the church, or the result of a system that needs scapegoats. I.E., "The government agent told me to use tor."

I am beginning to think for the average person who thinks they need tor, it may actually be worse for anonymity because its use can be quickly followed by physical surveillance and manipuation, and the added techical know-how and learning curve detracts from other possible free-speech activities.

Simply saying "tor is experimental software, don't rely on it for strong anonymity" isn't enough, because people ARE relying on it for strong anonymity. Simply having a page that has 100 list items of dos and don'ts is too much, because not all those dos and don'ts apply to every use case, and it is too much to handle. If the activist/dissident has to become a PhD in CS, its over.

You are right to focus on diversity. This VOA move is clearly partisan. There is absolutely no reason they cannot deploy their own nodes. In fact, if they did, then can could even leave out the"family" tag from the torrc... If we want to talk about wasted bandwidth, it is that you are on this forum.

Yes, BBG is a government agency. By publishing the post, we're being transparent about where the funding originates. We're not trying to hide this fact.