-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 M wrote: > First of all, some informationa about the situation: > http://frapedia.se/wiki/Information_in_English > > I'm running two nodes in Finland, very restricted exit poliecies > (googles ip's, scroogle, https, pops and imaps allowed). > > Circa 90% of traffic originating from Finland and going outside of > Finland is routed through Sweden (that bites a lot). > > As Swedish FRA is listening, logging, building "sosiograms" and trying > to decrypt all traffic going through their borders should I be worried > about my exit nodes? Should I do something about exit-policies? > > Encryption does protect the data but it does not protect from tracking > who is in connection with who. As I run exit-nodes that routes traffic > about 2Mb/s/2Mb/s - 10Mb/s/10Mb/s and 4Mb/s/4Mb/s I'm getting my fair > share of tor's traffic. So.. FRA is building a nice file of my ip and > thinks that everything coming from tor is really traffic originated by me. > > M > > ps: as always, sorry for my bad "fenno-english".
It really depends on whose privacy you're worried about. Allowing exits only on ports that typically are used with end-to-end encrypted protocols*, should help limit the amount of information the FRA can gather; while they can tell what's being accessed, they can't get the much deeper "psychological" info that could be gathered from content. I don't think that even with unencrypted traffic, that it would be a major threat to the anonymity of the clients entering the network somewhere else** - the main worry, as I see it, would be if they thought it was from you. As mentioned before, the best you can do as an exit node (for your own protection), is to allow ports that tend to be used with encryption. *: Others have pointed out that many ports which are commonly associated with encrypted protocols may - in practice - actually be used without encryption. This can be due to protocols which support either plain or cipher mode (e.g., Gmail's SMTP on TCP 587), or to deliberate hackery (e.g., someone could run a standard HTTP server on TCP 443, in order to get around an ISP block of TCP 80 [although if they're at that level, I'd figure they'd just use HTTPS for the extra privacy =;o) ]). (In a manner of speaking, I'm doing repurposing of a port in this manner - - although Tor uses SSL, I'm using TCP 443 for onion routing, rather than its "normal" purpose as an HTTPS server.) **: FWIW and IMHO, I believe that much of the privacy and security of clients not only has to be, but *should be* left to them. Stopping Darwin and bottle-feeding those with inferior skills and/or capacity only drags down the human race. Those who can, will learn; those who cannot, will suffer the consequences. - -- F. Fox AAS, CompTIA A+/Network+/Security+ Owner of Tor node "kitsune" http://fenrisfox.livejournal.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSGvjzuj8TXmm2ggwAQiYGhAArVhD0iX88t+jqq2eBWzLzCor5n2O0y2Z PE6/3hzXNZ4/bzWINyY75kS01V5GX65+JlAmZwqWsg1wg8kQFvSOMptwXANspgUN 7YSAVUjCnsfkvv0rocb1rzFKRa2X+qqG32dTwYC86VL/i8mHXTHC3aFfdmMCV9Qm OAUYSN/4xXSop8B4f65n2Wk9DsyZNEFYF0gGPxtOzFKru5+GZiHNGJZXVPD2JzSG CJ9EG6oub6p91mBYExyXPg6vuiiDXOOQMyS0j+NNeeUV8yN4fANGBpp1sr7JPbGM lifDWGrV1yfrFA0/tdWvpan0ltO399zeSS6nFqd+KekMvdKiPuAXHeg67XbSucZg /Iz8ELfXC/81rD/tkTc00ghnJ5XWxtgJMjZvZ15ADNxPXMy9r9rG/exzEdqs3QiB zFM3F95DP3No/8QWFar11U4KEDnxL4t0xYY9sYJw+irFAVpkjXyo/EavPOvjqfhu BDyBkUljWda6UYN39anZVN9xKhmFl+ZiO+ZbrRX4r4cgWe4HO4X4pOowb5oqrbLM jmrzdV1UGR4HK644N34vhuMXKmQNa7ztq7kx4oFGs8k7C8RerI8un2UEctLkMioT 7o+zUvxSpt3KPqHedKcMrbMYnZ6g11w6NNQz1vGYZrh22eVMvITPRXb/WYbX4FaB +/pzrnLk4u4= =0z1r -----END PGP SIGNATURE-----
