Don't create a publicly available webpage showing bandwidth history or any statistics about the machine (e.g. CPU/RAM usage) as these can be used in surprising ways to attack users

don’t create a publicly available webpage showing bandwidth history or any statistics about the machine (e.g. CPU/RAM usage) as these can be used in surprising ways to attack users.

from Expectations for relay operators - The Tor Project - Policies

Does this mean I have to hide away mrtg stats like the attached one?

recent.og700×335 4.59 KB

It is a 5 minute average of the network interface traffic. Additionally the mrtg contains load average: 1.67, 1.89, 2.04 updated every 5 minutes…

Is this really critical and has to be protected from 3rd parties? Meaning I need to setup https for this and an authentication?

Based on the fact that attacker can set up his own relay and look at bandwidth history, I dont take this advice seriously.

Yes, but not because you run a Tor relay. Rather because that is common sense nowadays.
FWIW I do use NGinx, a self-signed CA and iptables for that [1]

[1] GitHub - toralf/tor-relays: A stack to deploy Tor relays or Snowflake

Why is this stated as an expectation then, if I do not have to do it because of running a relay?

What information is there I have to hide? It is a static website, which is compiled locally, not an API… What are the surprising ways to attack users with the combined traffic summary of usually 4 relays and a load average updated every 5 minutes?

Here is the follow up discussion in gitlab:

Boils down to the statement: Do not make any statistics public with an aggregation window smaller than 24h (like it is also used on metrics).
If you have more detailed statistics, protect them with HTTP Auth at least…

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.