Author

Topic: Suggestion: Stop logging Tor Exit IPs (Read 275 times)

legendary
Activity: 2828
Merit: 2472
https://JetCash.com
January 08, 2020, 03:48:30 AM
#3
I've got a couple of pages worth of IPs logged. All are from the UK, and most state that the city is unspecified. Where the city is specified, it is incorrect, and can be anywhere in England. Only one is correct, and that looks as if it was the result of my tethering through my mobile. I can't see any benefit to me or the forum from recording more than the last couple of IPs.

I'm using public WiFi rather than Tor.
sr. member
Activity: 1288
Merit: 415
January 08, 2020, 01:06:04 AM
#2
Your suggestions looks pretty much an effective way to curb the data storage related to IP logins to the forum. Theymos had already applied some IP retantion restriction features recently. Another intend of theymos behind it could be reducing the data storage space of the user's who don't want to save there IP locations.

I agree tor exits data recording is of probably no use to the forum and not storing them would benifits in a way.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
January 07, 2020, 10:37:02 PM
#1
Evidently, I can travel at the speed of light!  https://bitcointalk.org/myips.php tells me that within a quite short time span, that I have connected from:

Code:
Tallinn, Estonia
(Unspecified city), Germany
Lipova, Romania
Amsterdam, Netherlands
(Unspecified city), Austria
(Unspecified city), United States
(Unspecified city), France
(Unspecified city), Switzerland
Nafplion, Greece
Roost, Luxembourg
Sofia, Bulgaria
Brooklyn, United States
Aleksandriya, Ukraine
(Unspecified city), Germany
(Unspecified city), Austria
(Unspecified city), Ukraine
Amsterdam, Netherlands
Bergshamra, Sweden

Seriously, I suggest that by default (and without an option), the forum should automatically discard Tor IPs before the information even hits the “User IP logs”—or if needed, log access as “Tor Exit” without an IP address and city:

  • The logging of exit IPs does not serve the intended purpose of assisting disposition of account recovery requests.  Indeed, to the contrary:  When handling account recovery, I think you must filter Tor exits anyway.  Otherwise, if a user had ever connected through Tor, an account thief may get lucky and connect through an IP geolocated in a city which the user had apparently connected from.  The probability is not negligible:  There are over a thousand Tor exits located all over the world, mostly in densely-populated urban areas; and a Tor user can easily jump around through dozens of them in a matter of hours.
  • Although the logging of Tor exits seems to be not a big privacy concern, why keep around useless data that may be useful for unlikely attacks?  Is the risk to Tor users small?  Large?  Who cares?  The principle of “need-to-know” data minimization seems implicit throughout the forum’s “about privacy” page.  Keeping those IPs around just burdens to the forum and its administration with useless data that they don’t need, and probably therefore don’t want.
  • For Tor users, the forum is mostly served through Cloudflare’s onions* via Alt-Svc, with no client IP address.  I have instrumented my Tor daemon with connection-logging functionality that would probably scandalize Tor Project developers; thus, it has been easy for me to confirm that most of my hits on bitcointalk.org actually go to a group of v3 onions with names starting with “cflare”.  I only hit bitcointalk.org via an exit when Tor Browser’s knowledge of Alt-Svc is nonexistent or stale for whatever reason.  (Due to the way Alt-Svc works, a Tor user will always hit bitcointalk.org with an exit IP at least once at the start of a new browser session.)

It’s probably a relatively low priority for forum improvement; but if you anyway must exclude Tor exits when performing account recovery, the functionality is needed.  I suggest it’s better to do that at the source of data, and discard Tor IPs, rather than later, at the time of use.



(* Of course, Cloudflare can still see all traffic sent through its own onions.  At least their auto-onion feature takes a big load off Tor exit capacity, a perennial bottleneck due to the difficulty and risks of running an exit; and the metadata (time and IP) for connections via an onion cannot be seen by network spies who may watch traffic from Tor exits.  In fairness, I will give them significant credit for doing a bit to help user privacy against adversaries who are not Cloudflare.  In my book, is an offset against their terrifically larger debit for MITMing TLS for what seems like half the web nowadays.  —  I have observed, entities have an interest in protecting people from everybody but themselves.  The NSA wans to pwn your crypto, but doesn’t want the Chinese to pwn your crypto.  Google wants your connections to Google to be secure, so that only they will be able to buttfork your privacy.  Facebook wants you to securely connect to Facebook (even through an onion!), so that you can privately destroy your privacy on Facebook.  I think that Cloudflare is absolutely sincere in their desire to protect users against everybody except Cloudflare.  Well, generally, intelligence data loses its value if others have it...)
Jump to: