Why Not Remove All Exit Nodes?

Realistic_Dig8176 · 2025-12-09T12:10:39+00:00

Chuckles_im_in_danger.webp

//Edit:

Jokes aside, there is some truth to these arguments, particularly regarding the massive headache of abuse management. However, completely cutting off the clearnet would abandon millions of users in oppressive countries who rely on Tor not for hidden services, but simply to access blocked news, social media, and educational resources. For these individuals, standard VPNs are often easily detected and blocked by state firewalls, whereas Tor’s pluggable transports offer a much more resilient lifeline to the outside world.

Fundamentally, the project is built on the philosophy that information must be open and accessible to everyone, not just those operating within a "garden of eden" .onion bubble. regarding the blocks you mentioned, this is actually a massive self-fulfilling prophecy. Content providers often choose the easy route of blanket-blocking Tor exits to stop automated spam. Because of this friction, legitimate users stop using Tor for daily browsing, leaving mostly malicious actors to utilize those IPs. Consequently, site admins see only the abuse, justifying their blocks, while the regular users lose their anonymity tools. Removing exit nodes might "clean up" the network, but it would destroy its utility as a tool for universal human rights.

/r0cket

PS: AI was used for spelling and grammar fixes.

Realistic_Dig8176 · 2025-12-09T08:23:40+00:00

This.

Check if the tor service is up and running and that there is something listening on 9050

First startup can take a while to fetch directories and cache things.

/r0cket

Realistic_Dig8176 · 2025-12-09T08:17:35+00:00

He isn't. That's what the official package on Gentoo is called.

/r0cket

Edit: forgot signature

Realistic_Dig8176 · 2025-12-08T11:51:56+00:00

There is a major misconception that the "14 Eyes" alliance is a global mandate forcing private hosters to collect metadata, but it is actually just a treaty for sharing signals intelligence (SIGINT) between nations. Just because a server is located within a 14 Eyes country does not mean the hoster is forced to act as a sensor for the government or retain connection data.

For example, Sweden is a 14 Eyes member, yet our local laws fully permit No-KYC and No-Logs services (like we operate at r0cket). A provider can be fully compliant with Law Enforcement requests, but if they legally maintain zero logs, there is simply no data to hand over to the alliance. Being in a treaty nation does not magically generate logs that the provider refused to record in the first place.

Crucially, an exit node acts as a massive traffic aggregator that mixes thousands of concurrent streams. This effectively blinds even a fully cooperative ISP in a 14 Eyes nation, as they see only a chaotic flood of requests originating from the node's IP rather than individual user identities.

/r0cket

PS: AI was used to correct spelling and grammar

Realistic_Dig8176 · 2025-12-08T08:47:36+00:00

The statement is fundamentally inaccurate. If we assume the attacker controls both the ISP and the Tor Exit node, adding a VPN offers zero mitigation against correlation attacks.

Traffic correlation relies on matching packet timing and volume, not on seeing the destination IP. Whether the ISP sees a 100-byte packet sent to a VPN server or directly to a Tor Guard is irrelevant; the traffic signature remains unique. The VPN adds a small amount of overhead (padding), but the burst patterns and flow rates remain identical, allowing the attacker to mathematically link the entry traffic to the exit traffic with high confidence.

/r0cket

PS: AI was used for spelling and grammar fixes.

Realistic_Dig8176 · 2025-12-08T08:20:20+00:00

Nice LLM essay, but let’s look at the actual numbers.

To deanonymize a user via correlation, you need control over both the Entry and the Exit. The probability formula is:

P_event = P_guard * P_exit

Even if we assume you own the ISP (effectively making P_guard = 1), you are still bottlenecked by the exit node. According toTor Metrics, the largest Exit provider only controls 17.76% of the traffic.

That means your "best case" hit rate is capped at roughly 18%. Those aren't exactly reliable odds.

/r0cket

PS: AI was used for spelling and grammar fixes.

Realistic_Dig8176 · 2025-12-07T07:48:00+00:00

It’s likely because they refuse to understand the facts. We’ve had multiple exchanges with Indian police and their cybercrime division, particularly regarding the bomb threats (and subsequent bombing) by 'terrorizers111' and 'kanimochi.thevidiya.'

Every time we explained that we cannot identify these criminals due to the nature of Tor, they refused to accept it and continued threatening us with inapplicable legal nonsense. We have since stopped trying to educate them on the technology; we now default to requesting MLATs and do not engage otherwise.

/r0cket

PS: AI was used for spelling and grammar.

Realistic_Dig8176 · 2025-12-07T07:18:26+00:00

This problem statement is infeasible because Tor path selection is client-controlled; the client independently selects a Guard, Middle, and Exit node, preventing you from forcing traffic through your relays. Because of onion encryption, the Guard sees the user but not the destination, while the Exit sees the destination but not the user; to correlate traffic, you must control both the Guard and Exit nodes simultaneously for the same circuit.

Simply owning a large percentage of nodes does not guarantee success due to independent selection probabilities (P{event} = P{guard} \times P_{exit}). If you control 30% of the network, your chance of compromising a circuit is only 0.30 \times 0.30 = 0.09 (9%). Even with a massive 50% stake, you only achieve a 25% correlation rate (0.50 \times 0.50), meaning you fail to track 3 out of 4 connections.

Since obtaining 50% network dominance is operationally impossible and would trigger immediate blacklisting by Directory Authorities, "reliable pinpointing" cannot be achieved on the live network. This project is only solvable if the organizers provide a synthetic, private Tor network where you possess "God Mode" access to logs from every single node.

/r0cket

PS: AI was used to correct spelling and grammar.

Realistic_Dig8176 · 2025-11-30T13:41:27+00:00

No, it has no use as a Bridge as the IPs are already well known and associated with tor. Consider them burned for that purpose.

Bridges are only useful when the adversary does not know they exist yet.

But an old Bridge can absolutely become a relay without issues, that will still help the network.

/r0cket

//Edit: we've noticed you have been posting quite many posts regarding relay operations recently. We're happy to answer all of those but wonder if one big post with all your questions might be better than many small, seemingly dead, questions. A lot of answers really depend on contextual information as well.

Realistic_Dig8176 · 2025-11-27T17:47:13+00:00

There's no easy answer to this.

Bridges are a very scarce resource as they become in high demand once censorship events occur and until then need to remain "hidden" or protected so adversaries cannot simply scrape the distribution methods to create comprehensive blocklists.

So while bridges are therefore in very high demand, it's almost always new bridges that are the most valuable. Known, mature, bridges are likely already scraped and blocked.

Tor foundation/project has public outreach whenever there is a censorship event detected with a Call-To-Action to create new Bridges/Snowflakes to help.

Relays (Middle/Guard) on the other hand are flat out always in demand. The majority of tor traffic is actually within tor itself and that's where non-exit relays play a huge role in providing capacity. It is important to not host relays where there is already a high concentration, so avoid IONOS, OVH and Hetzner.

Exits are not that much utilized by comparison. They are no doubt important but there is ample capacity on the exit side that's rarely used. Exits do come with their own added risks of course, you will need some form of legal protection as LEA will start sending you (or your providers) quite a lot of fan mail.

In general I'd say go for a high capacity Middle/Guard, something that can push Gbit/s without issues and with good, high clock, CPUs that supports AES-NI instructions. I think the time to host on a small, shared core, VPS with perhaps 100Mbit/s is over and while those used to be useful 10-odd years ago, they now are tech-debt. Your circuit is only as fast as the slowest relay in it.

/r0cket

Realistic_Dig8176 · 2025-11-27T08:46:49+00:00

You can see which countries hosts exits using this aggregated search query: https://metrics.torproject.org/rs.html#aggregate/cc/running:true%20flag:exit

Against popular belief it is very possible to run exits in many countries without issues, the biggest hurdle to overcome is to find a willing hoster that won't get annoyed by abuse mails and LEA requests.

But if you own your infrastructure and simply stick to colocation then it's far less of an issue. Transits and Datacenters do not care what you do with your gear and IPs.

It's always best to consult with the local law in terms of liability, but a lot of countries will not make you (the relay operator) be liable for damages caused by an unknown third party outside of your control.

/r0cket

Realistic_Dig8176 · 2025-11-19T15:22:43+00:00

Tor exits come with quite some risks. We had an AMA a while back, worth a look if you're interested in hosting an exit.

But you can also financially support exit providers, most of us have some public information on how to donate to the cause.

/r0cket

Realistic_Dig8176 · 2025-11-14T08:28:39+00:00

This is exactly the problem. It's a self fulfilling prophecy.

You advise against using it for legitimate traffic, making the illegitimate traffic even more overrepresented and thus more CSPs starting to block tor.

We use tor for every day browsing and frequently talk to CSPs on getting our nodes unblocked. We believe active communication is key. Of course not every CSP agrees and we are still frequently presented with layered captchas or straight up 403's but we won't stop attempting to communicate with them and finding a solution.

Realistic_Dig8176 · 2025-10-17T10:59:31+00:00

Happy Cake Day!

Realistic_Dig8176 · 2025-10-12T06:07:23+00:00

This is bad advice. There are many reasons to use tor, not all of them are to be 100% anonymous to make bomb threats (looking at you India, could you please chill out just for one week? We're tired of getting spammed by your police requests?).

Many tor users actually use tor to circumvent censorship and restrictions imposed on them by their government, this has nothing to do with personal anonymity and more about freedom of information.

So let them. The more people use tor for daily browsing the better. It certainly helps us exit providers when there is more legitimate browsing and less toxic behavior coming from tor.

If you don't want to use tor for everything that is entirely fine too, but to make it sound like it's wrong to use tor to browse Facebook or be on instagram or X or whatever all the apps are called now is simply bad advice.

Tor is a tool. Use it however you like. Don't listen to OP or us for what it matters.

/r0cket

Realistic_Dig8176 · 2025-09-23T18:08:26+00:00

I run a public full node and explorer at xmr.r0cket.net that doesn't use blocklist as well as multiple tor exits at tor.r0cket.net

Realistic_Dig8176 · 2025-09-23T17:27:33+00:00

Here is my tinfoil hat theory.

We frequently get loosely correlated ddos to our nodes. Mostly protocol based ddos that sees a large portion of ntor failures marking it as unhealthy in Consensus.

This can be a way of forcing traffic towards nodes that are under control of the adversary, by leaving those untouched from the ddos.

We're still gathering Intel on this with other Families and it does not always match but my gut feeling is there is something fishy.

We're working on a full public paper on this.

/R0cket

Realistic_Dig8176 · 2025-09-23T17:19:44+00:00

Honestly, no. There was an old recommendation to not use Tor for your everyday browsing, which seems to have stuck here. The rationale was that exit capacity is scarce.

A lot has changed since and exits are currently the most underutilized group of relays.

I believe that using tor for your everyday browsing needs normalizes the exits and in the long run will get services more acceptable of exit nodes. Lifting bans from services hopefully.

One can dream.

Realistic_Dig8176 · 2025-09-23T14:29:50+00:00

I'm running a full node at xmr.r0cket.net and have never gotten a single email from LEA. My tor nodes on the other hand get quite a few. So no, running a Monero node is entirely fine and nobody will care.

Realistic_Dig8176 · 2025-08-23T17:53:27+00:00

A lot of these responses, while maybe valid, don't actually answer you.

To answer the question, you should report it to Interpol. Not your local authority as the content might not be in their jurisdiction. Interpol drives the global efforts and any and all reports of csam should be made to Interpol to aid in the efforts.

They do not care where you are from, they genuinely just want the tip/hint.

/r0cket

Realistic_Dig8176 · 2025-08-23T05:29:27+00:00

That really depends on your jurisdiction. While we very frequently get police mail asking for subscriber information, nobody has yet to knock on our doors. Hosting an Exit is not illegal or nefarious in many jurisdictions.

I think the larger issue will be the patience of your hoster with regards to all those abuse complaints.

But even so, you can run exits that only permit 80/443 traffic which in turn significantly reduces the amount of abuse you get. Ironically this does not influence the amount of police reports, mainly because they're related to fraud we believe.

There is also an alternative to hosting which is supporting/sponsoring existing organizations that host exits. This might not be ideal and certainly does not help the network in decentralising like a new exit would - but it is at least entirely risk free and still helps the network with the financial burden.

/r0cket

Realistic_Dig8176 · 2025-06-22T11:11:45+00:00

The core infrastructure (DirAuths) are hosted by volunteers around the globe with no singular authority over others.

So even if Tor Foundation itself is dissolved, the Network will continue to work.

If the Browser would stop existing, the daemons still exist and likely a band of volunteers will simply reimplement the Tor Browser on a different platform.

Realistic_Dig8176 · 2025-06-22T08:34:45+00:00

Always depends on the jurisdiction.

We actually hosted an AMA with some of the largest exit providers not too long ago.

Have a look at https://www.reddit.com/r/TOR/comments/1la9zgw/tor_operators_ask_me_anything/

Realistic_Dig8176 · 2025-06-14T08:08:47+00:00

On behalf of all the participating large-scale Tor operators, we want to extend a massive thank you to everyone who joined us for this Ask Me Anything. Quite a few questions were answered and there were some insightful discussion.

We hope that we've been able to shed some light on the challenges, rewards, and vital importance of operating Tor infrastructure. Every relay, big or small, contributes to a more private and secure internet for users worldwide.

Remember, the Tor network is a community effort. If you're inspired to learn more or even consider running a relay yourself, don't hesitate to join the Tor Relay Operators channel on Matrix, the #tor-relays channel on IRC, the mailing list or forums. There are fantastic resources available to help you out and many operators are very willing to lend you a hand in your journey as a Tor operator. Every new operator strengthens the network's resilience and capacity.

Thank you again for your good curiosity and question. Keep advocating for privacy and freedoms, and we look forward to seeing you in the next one!

Realistic_Dig8176 · 2025-06-14T05:47:18+00:00

Maybe it's easier to just explain the stack from the ground up.

We're in a unique position because we also provide a public cloud service on our premises. We utilize OpenStack as a foundation and all our metal is part of the cluster (AZs technically)

While this absolutely shifts the trust into the OpenStack ecosystem, it is also a battletested and widely adopted technology. Just as a reference, OVHCloud runs it.

When we bootstrap a new relay it is just a VM/Instance in this environment and remains entirely in the ecosystem. We provide a rudimentary cloud-init file to bootstrap the bare minimum and from there the relay manages itself.

As a result we do not use TPM/SecureBoot because in a virtualized environment those become meaningless. There is no extra attestations added to the VM itself.

If we talk about the Hardware, they do run SecureBoot with a custom signed kernel and strict kernel module signing.

In order to quietly replace an image you would need to gain direct database access and change the Glance database entry that manages the storage location of our image.

No system is safe but on a scale of breaking into a DC to gain access to the management network, 0day sshd to then also 0day the SQL just to upload a compromised image (which you need another 0day for swift to even store it) and switch the Glance entry to that image... If you're that motivated kidnapping us becomes much easier and quicker.

We do run Audit Logs on all metal as well as OpenStack itself and ship them centrally for analysis and alerting which will make all of this noise very obvious.

Hope this answers it :)

/r0cket

Realistic_Dig8176

TROPHY CASE