verla via Tor Project Forum:
A concerning statement in this write-up is:
The C-Tor codebase is in maintenance mode and not accepting any new
features anymore (with a very narrow set of exceptions). We therefore
plan to have this change included solely in the upcoming Arti relay
work.
This appears to be false, as you just rolled out conflux and onion proof of work in the C-Tor codebase.What are the exceptions for new features into c-tor? Where are the exception criteria documented (speaking of transparency)? Will this proposal become an exception?
I think the answer to your last question is already in the text block
you quoted, no? The exceptions are determined by the network-team and
are on a case-by-case basis. The general rule is “no new features”.
Proposal Questions
- What does this proposal mean for those running C-Tor?
It should not affect them.
- Are you proposing a “flag day” for the entire network to switch to rust-tor?
We are not sure yet, but likely C-Tor relays will just be phased out via
the usual EOL mechanism: at some point there won’t be any security
updates and thus any supported C-Tor version for relays left and they
will therefore get blocked at the Directory Authority level.
- What happens to C-tor relays that refuse to put in valid email addresses if/when this proposal is accepted?
Nothing which is not happening already.
- Does this just bifurcate the network into c-tor and rust-tor versions?
No. We’ll have a period where both C-Tor and Arti relays will be in the
network but that is unrelated to the proposal at hand and is rather a
result of the overall transitioning to Arti relays.
- How do you plan to handle the duplicate email addresses on relays not in a “family”?
Not sure what you mean here, is that related to the next question?
- What’s to stop someone from just copying a known email from the public contactinfo?
You mean someone trying to impersonate an operator? We think we can
prevent that/make it detectable with the way our planned email
validation is constructed: it’s bound to the family keys/fingerprints of
relays. The details are still ironed out and will be in a technical
specification but we believe we’ll improve the situation here as well
compared to the status quo.
General Thoughts
Please show some transparency and document your setups where using valid email addresses in ContactInfo does not result in tens of thousands of spam/phishing emails per year.
Thanks @boldsuck for following up on that part.
On the general topic, it seems tor is losing its way here. If the clients do not trust the network, then why do we need more trusted relays? Are you implicitly admitting the tor network is not safe and/or the entire design is fundamentally flawed? Already, tor cannot protect against global passive adversaries. Such GPA’s already include the obvious intelligence and law enforcement agencies, but also google, facebook, apple, akamai, shein, bytedance, visa/mastercard and other with global reach on the internet. Such a proposal merely lets the GPA collect more information about relay operators.
I think the motivation section in the proposal as to why we need this is
mentioning the bad-relays case. There are some interesting ideas
mentioned as well that we could build on top of this proposal which
could help with trustworthiness. The network being safe or not is not a
yes/no topic. It’s more complicated, but we can help making it safer
with the current proposal as a building step. And that’s definitely in
the interest of Tor users.
Should this proposal be rammed onto relay operators, someone should start an anonymous email service which requires zero identifying information to accommodate those opting out of the surveillance economy.
Seems this got already addressed, too, nice.
···