On Tue, Feb 17, 2009 at 02:14:49PM -0500, Praedor Atrebates wrote: > I'm with Bennett on this. Taking away ExcludeNodes is essentially taking > power and choice from tor users. > > Always always always default towards providing more choice and power > to users, not less. In any case, as indicated, reporting bad nodes > is not exclusive of ExcludeNodes. ExcludeNodes is effective > immediately. Reporting a bad node takes time for a response. Allow > us to exclude the nodes we wish to exclude NOW, not after some > period of time after reporting for something to be done. >
I'm not commenting on the specific relative merits of continuing to support ExcludeNodes, but I do want to strongly reject the principle of always giving more choice and power to the users. Whatever its merits in general, this is a dangerous principle for anonymity systems. It is easy to allow users to configure their systems in ways that allow an adversary to uniquely identify them (or at least dangerously narrow it down). How this can occur is subtle, and it sometimes surprises the experts. The user (even a fairly savvy user) has even less chance of grasping what is a safe configuration. For this reason, we chose Tor design to minimize the number of configuration choices even when we didn't have specific attacks in mind. When we thought we had a countervening reason to allow options we have done it hesitantly and with eyes as open as possible, rather than doing it as part of a principle we enthusiastically embraced. This point has been made in numerous published papers over the years, including the Tor design paper from USENIX Security 2004. aloha, Paul

