
Deploying Tor Relays - leo2urlevan
http://blog.mozilla.org/it/2015/01/28/deploying-tor-relays/
======
Igglyboo
I hope they are going to be deploying exit nodes as well. It's not very safe
to run an exit node but I doubt the FBI will be raiding Mozilla and other big
companies for them if this practice continues.

~~~
handsomeransoms
Part of the problem of running an exit node is that it's unclear how "safe" it
actually is, and as a result there is a lot of rumor and paranoia. Every
country has different laws that affect the legal status of an exit node
operator.

For example, an Austrian man was arrested in 2011 for running an exit node and
charged with being an accomplice to crimes that were carried out over Tor
using his exit node. He was ultimately found not guilty, but a law was passed
as a result that effectively makes it illegal to run a Tor exit in Austria.
[0]

Meanwhile, in the US no one has ever been arrested simply for running a Tor
exit node (at least to my knowledge). Anecdotal information suggests that the
most difficult thing is finding someone to host the node (many cloud VPS
providers, for example, will not) if you don't host it yourself. A Reddit
commentator and operator of Tor exits suggests that running Tor exits is
_protected_ under U.S. law, although I'm not sure if this has been tested in
court [1].

I think Mozilla should take the (relatively small, due to their presence in
the U.S.) risk of running Tor exit nodes. They could even turn it into a
project of its own, to explore the common problems and develop some best
practices for running Tor exits. I could imagine this being a fruitful
collaboration with the EFF, for example!

[0]
[https://www.techdirt.com/articles/20140701/18013327753/tor-n...](https://www.techdirt.com/articles/20140701/18013327753/tor-
nodes-declared-illegal-austria.shtml) [1]
[http://www.reddit.com/r/IAmA/comments/20243q/iaman_operator_...](http://www.reddit.com/r/IAmA/comments/20243q/iaman_operator_of_eight_tor_relays_including_two/cfz3gkp)

~~~
rhinoceraptor
What would be great is if a foundation came along that offered people a way to
sponsor a Tor node without having to own or operate it themselves.

~~~
BrianEatWorld
IANAL, but would this just require someone incorporating or starting an LLC
and then paying for the exit nodes in the name of that entity? Would that be
sufficient protection?

~~~
iancarroll
Also not a lawyer, but you can still be charged criminally in the USA:

"Charging a corporation, however, does not mean that individual directors,
officers, employees, or shareholders should not also be charged. Prosecution
of a corporation is not a substitute for the prosecution of criminally
culpable individuals within or without the corporation"

from
[http://www.justice.gov/criminal/fraud/documents/reports/1999...](http://www.justice.gov/criminal/fraud/documents/reports/1999/charging-
corps.PDF)

------
cottonseed
This is awesome.

If you have a VPS spare bandwidth, I encourage you to set up a relay, too. It
is very easy to do and a great way to contribute to the Tor project.

Is Mozilla planning to set up a hidden service for mozilla.org? I didn't see
anything mentioned. The more sites that support hidden services, the less need
for exit nodes (which are arguably one of the least secure parts of Tor.)

~~~
driverdan
> If you have a VPS spare bandwidth, I encourage you to set up a relay, too.
> It is very easy to do and a great way to contribute to the Tor project.

I run three relays right now. I agree that it's pretty easy to setup,
especially on Ubuntu, but the documentation could really use improvement. It
makes it sound much harder to setup than it actually is.

To anyone who is thinking of running a relay, here are the basic steps:

1\. Add the Tor repo to your package manager [1]

2\. Install Tor

3\. Edit the config file to set a name, your contact info, bandwidth limit,
and exit policy. This is all pretty well documented in the config file.

4\. Start Tor (eg `sudo service tor start`)

If you want to run an exit node you should read the Tor docs about the topic
and decide which ports to open.[2][3]

1: [https://www.torproject.org/download/download-
unix.html.en](https://www.torproject.org/download/download-unix.html.en)

2:
[https://trac.torproject.org/projects/tor/wiki//doc/TorExitGu...](https://trac.torproject.org/projects/tor/wiki//doc/TorExitGuidelines)

3: [https://blog.torproject.org/blog/tips-running-exit-node-
mini...](https://blog.torproject.org/blog/tips-running-exit-node-minimal-
harassment)

~~~
mirimir
It's good practice to discuss plans with your hosting provider, so that you
and they both know what to expect. Stealth doesn't cut it, especially if
there's real money at risk.

Also, keep in mind that relay IPs, and perhaps even subnets, may show up on
various blacklists. Other services (perhaps those of other hosting customers)
may be affected.

~~~
xorcist
> keep in mind that relay IPs, and perhaps even subnets, may show up on
> various blacklists

Have you got an example of that? I know a few relays intimately and I've never
seen this.

~~~
mirimir
I recall seeing this on tor-talk or tor-relays within the past year or so.
Someone started running an exit, and their hosting provider nuked their
account, claiming that other customers were being affected by bans. I'll see
if I can find it.

Edit: Here's one example, posted by Zack Weinberg on the tor-relays list.[0]

    
    
        CMU network operations has decided to move the Tor exit node that my
        group operates (tor-exit.cylab.cmu.edu) to an isolated subnet in order
        to minimize consequences for the rest of the campus network. For
        instance, apparently there have been several cases where third parties
        blacklisted the entire CMU IP space in response to malicious traffic
        from the exit node.  This is currently scheduled to happen Tuesday (Nov.
        4). The new IP address will be 204.194.29.4.
    

[0] [https://lists.torproject.org/pipermail/tor-
relays/2014-Novem...](https://lists.torproject.org/pipermail/tor-
relays/2014-November/005647.html)

~~~
tokenizerrr
Note that a tor exit node is quite different from a relay.

------
folta
Missing an L in "Mozilla" in the title - "Mozila deploying tor relays"

~~~
leo2urlevan
Thanks, fixed.

------
mirimir
This is, of course, great news.

However, it's my impression that there is a surplus of entry and middle nodes,
and a serious shortage of exit nodes, especially fast ones. Also, I've read
that the geographic diversity of exit nodes is inadequate. I base these
comments on discussions on the tor-talk and tor-relays lists, and from posts
on the Tor Project blog.

~~~
sp332
Would it help if an ISP ran a couple of exit nodes plugged into core routers?

~~~
AnthonyMouse
It's actually better if 1000 different people each run a 40Mbps exit node than
if one ISP runs a single 40Gbps one. You don't want to centralize control over
the exit nodes because it increases the chance that party could control every
node in a circuit.

~~~
sp332
If they're only running exit nodes, they're not going to control every node in
a circuit.

~~~
AnthonyMouse
If you _know_ which nodes they control you can easily avoid using them in the
same circuit. But how are you supposed to know that? There is a configuration
option to list other nodes you operate for exactly this purpose, but someone
staging an attack is obviously not going to use it.

------
jstalin
Can we donate to support this specific initiative?

~~~
dublinben
Donate to the Tor Project. They currently rely on mostly government grants for
funding their important work.

TorServers.net has also been mentioned already.

------
justcommenting
bandwidth & other info on mozilla's relays:
[https://atlas.torproject.org/#search/mozilla](https://atlas.torproject.org/#search/mozilla)

kudos to mozilla for getting involved!

------
ryanthejuggler
Is Tor broken? I've heard that its anonymity was proven to be broken, but I'm
not sure how reliable my source was. I'm interested in getting involved but
hesitant to do so until I have some solid info one way or the other.

~~~
d23
There's something like 2k-8k exit nodes, and all that is needed to compromise
it is 51% of those. Given that the CIA _started_ tor and the government has
significant interest in breaking it, I would find it harder to believe that
they _didn 't_ have a few thousand computers lying around.

Also all of this is from memory, but I hope none of it is wrong. Feel free to
correct me if so.

------
ecaron
> We chose to make use of our spare and decommissioned hardware. That included
> a pair of Juniper EX4200 switches and three HP SL170zG6 (48GB ram, 2 _Xeon
> L5640, 2_ 1Gbps NIC)

In other words, Mozilla has enough money that a 48GB ram machine is otherwise
a paperweight...

~~~
IgorPartola
Well, if they were in any way savvy (which I believe they are), they would
sell a machine like that or donate it to another project. In this instance, I
imagine, instead of selling/donating they repurposed.

~~~
evilpie
For instance a while back Mozilla was giving away old Mac minis:
[http://armenzg.blogspot.de/2014/05/do-you-need-used-mac-
mini...](http://armenzg.blogspot.de/2014/05/do-you-need-used-mac-mini-for-
your.html)

------
dangerlibrary
Neat.

Obviously apples and oranges, but between this and Facebook's Tor Hidden
Service we're starting to see adoption of real privacy tools among major
companies.

~~~
yclept
> facebook

> privacy

~~~
dangerlibrary
I don't think that Facebook has responded to many demands for data from the
Syrian/Burmese/Saudi governments. Feel free to correct me if I'm wrong.

~~~
yclept
How about the United States / China / Russia / Great Britain?

~~~
rmc
Oh they're on the right side, so it's OK /s

------
politician
This reads like a progress report from a temporary experiment rather than an
announcement of a supported capability. I wouldn't get too excited.

------
thecatspaw
Im not sure if mozilla should get into such a political field.

~~~
vertex-four
Mozilla is a political organisation. Aside from the fact that developing free,
privacy-focused software is an inherently political thing to do, they have the
Mozilla Manifesto[0], which states (the relevant bits here being singled out):

> The Internet is a global public resource that must remain open and
> accessible.

> Individuals’ security and privacy on the Internet are fundamental and must
> not be treated as optional.

> We will [...] use the Mozilla assets (intellectual property such as
> copyrights and trademarks, infrastructure, funds, and reputation) to keep
> the Internet an open platform [and] promote the Mozilla Manifesto principles
> in public discourse and within the Internet industry.

[0] [https://www.mozilla.org/en-
US/about/manifesto/details/](https://www.mozilla.org/en-
US/about/manifesto/details/)

------
droopyEyelids
They better tell their employees not to buy any drugs or use TOR for illegal
stuff, because now they'll be representing the whole TOR project and The Free
Web.

So it's like, they don't just represent themselves anymore, and an arrest will
be a political tool to smash everything into corporate/government control.

~~~
mbrubeck
Any government agency that wants to trash-talk Tor is already doing so, and
already has plenty of ammo for the propaganda machine. They're not going to
wait for some Mozilla employee to download a movie torrent, especially since
that wouldn't actually change anything.

