
DuckDuckGo now operates a Tor exit enclave  - phsr
http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-operates-a-tor-exit-enclave.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+yegg+%28Gabriel+Weinberg%27s+Blog%29
======
klync
Congrats again, Gabriel! I don't use Tor myself (atm, at least), but I admire
your efforts to help address this concern for people. DDG is impressing me
more and more every day. It's been the default in my search bar for a couple
weeks now, working great. Here's to the future of DDG!

------
avar
That's great, too bad I can't run this for my own sites because a bunch of
idiot network admins (like those running IRC servers) will ban all traffic
from Tor exit nodes _without_ taking into account exit policies.

~~~
abstractbill
About two years ago, spam and abuse were firmly among Justin.tv's biggest
problems. It turned out the worst offenders were using tor for all network
traffic. Unfortunately just configuring all of our servers to reject traffic
from tor was by far the biggest bang-for-buck thing we did to kill the abuse.

If there's a better way, I'd love to know about it.

~~~
avar
Well, firstly this isn't a big problem for HTTP based services like justin.tv,
almost all Tor exit nodes allow HTTP exits, but it's a bigger issue for non-
HTTP exits.

But the better way is to take into account exit policies. Only ban access from
those IPs that are Tor exits _and_ allow access through to justin.tv.

You can query the exit policies of a given exit with TorDNSEL:
<https://www.torproject.org/tordnsel/>

I also whipped up a quick script that can be fed a list of Tor exit nodes on
STDIN and will spew out a list of exits that aren't allowed to access a given
IP:PORT: <http://gist.github.com/523328>

According to that 5/1338 Tor exits have policies that don't allow exits to
justin.tv on port 80 (199.9.249.22:80), but e.g. 309/1338 ban exits to
irc.freenode.org:6667.

That means that justin.tv is needlessly banning ~0.4% of Tor exit nodes, but
someone using the same approach with an IRC server is needlessly banning ~23%.
With SMTP (checked on a random GMail server) that percentage rises to 98.8%.

~~~
chc
Who cares if you ban an IP that's already unable to access your site? There's
no downside, and it sounds considerably simpler than querying exit nodes.

~~~
ElliotH
Because you affect the person running the exit node - not just the people
exiting from their IP.

~~~
moxiemk1
How? If the people couldn't make it to your IP anyway...

~~~
rdl
The assumption is that some (crazy) people are running tor exit nodes on IPs
shared with other traffic. That is IMO a seriously bad practice; even putting
stuff like that on the same /24 as critical servers is probably a bad idea.

~~~
_delirium
Part of the goal of Tor is to have a bunch of normal people running Tor nodes
on their own personal machines, VPSs, etc., in which case they're almost
always shared with other traffic (the person's own traffic).

------
pclark
Do people actually use Tor, day to day?

~~~
mike-cardwell
Yes. Shitloads.

~~~
pclark
can you quantify "shitloads" into an actual metric?

~~~
mike-cardwell
Looks to be about 15,000 regulars atm in Iran alone:

<http://metrics.torproject.org/graphs.html#recurringusers>

Plenty more graphs and stats on that page. Also read this for information
about the type of people who use it:

<https://www.torproject.org/torusers.html.en>

~~~
axod
FWIW Almost all other countries listed have no usage or very little.

~~~
mike-cardwell
All of the countries listed seem to have either thousands or hundreds of
users. You think that's "no usage or very little" ? I guess that depends on
your perspective.

Tor is never going to be used by tens of millions of people. It doesn't need
to be used by tens of millions of people to serve its purpose and be
successful.

I'm not sure why they only present that small subset of countries in their
stats. I wish they'd provide more comprehensive stats.

------
quellhorst
How much bandwidth will you allocate to tor?

~~~
epi0Bauqu
I have it set as "BandwidthRate 1MB, BandwidthBurst 2MB" for now, though I'm
going to monitor it and see what happens. Unfortunately, you can't prioritize
exit enclave traffic atm.

------
zitterbewegung
Although this is great that duckduckgo is doing this it seems like it would
only apply to a select group of people concerned about their privacy. It
doesn't seem like the average person would be aware about what Tor is and
would use it. I'm just wondering about the practicality of operating a Tor
exit enclave.

------
minalecs
this is really a great service. caution: I've read many horror stories about
people running exit nodes, and being charged with things that probably they
had nothing to do with , but are very serious charges. Thats why exit nodes
take the most balls to run.

~~~
epi0Bauqu
Only DDG traffic exits from the node. The rest is just encrypted traffic
relaying.

------
api
Next submission: DuckDuckGo raided for child porn...

(unfortunately)

~~~
nailer
An 'exit node' would normally get you raided for child porn, subverting islam,
leaking state secrets or whatever else, yes. Apparently an 'exit enclave' is
different.

------
axod
I really don't understand the strategy here. DDG Seems to be entirely targeted
towards people who want to be ultra secretive about what they're searching
for. People looking for kiddieporn? Terrorists? Who are the users here?

I'm not being negative here, I just have no idea what 'problem' is trying to
be solved here.

~~~
MichaelSalib
The users probably include democracy activists struggling against
dictatorships. You know, people of higher moral caliber than your average
child molester.

~~~
mike-cardwell
Exactly. See <https://www.torproject.org/torusers.html.en> for a list of the
type of people who use Tor:

~~~
axod
That is a list of people the tor project would _like_ to use it. In my limited
experience, that does not mesh in any way with those that actually do use it.

~~~
mike-cardwell
You don't even know what 1% of the people who use Tor, use it for.

~~~
axod
You're right. I only know what the other 99% use it for.

~~~
hack_edu
You know, you're acting like a dick all over this thread.

