Maybe feds don’t want to upgrade their vast cloud of Tor nodes just yet [1][2]

1 - https://blog.torproject.org/tor-security-advisory-relay-earl...

2 - https://arstechnica.com/information-technology/2014/07/activ...

Thanks for posting, turns out one of these was mine. I forgot that it existed. 1213 days of uptime, still running Debian Wheezy (don't worry, i'm bringing it up to date now)

> We encourage everyone to configure their relays to do updates automatically

I understand the general security benefits of automatic updates, but on something with as big a target on its back as Tor, isn't it asking for trouble? An attacker could poison an update and make vulnerable the entire network for as long as it takes for the Tor Project to discover the problem and patch it.

How does the security professional balance such issues? I can imagine mitigating the risk with rolling updates, but the 0-days aren't patched immediately.

If they're not updating their main software, what makes us think they're patching the host? It makes me wonder what percent of those 1100 are compromised.

For example the 1213 days of presumably no updates by f2n (mentioned in another comment: https://news.ycombinator.com/item?id=17150526 )

Are they encouraged in their languages? How many of those relays are run by ESL operators? Maybe internationalization could improve the adoption speed or update speed or whatever you call that metric.

Do these operators actually even know they are EOL'd?

I'm the submitter. I see there is much misunderstanding and misinformation of Tor relays, even on Hacker News. I'm not a Tor dev, but I've been running a node for years, so I'd guess I somewhat have an authoritative opinion on this issue. The issue is simple and no conspiracy theory required.

1. This report mainly deals with Tor relays. A Tor relay is not a Tor Exit (well, you can argue Exit is a special type of relay). Tor relays can be run on all servers, optimally, with fixed IP address, bandwidth >10Mbps (do set appropriate bandwidth limit in /etc/torrc, or it burns all your bandwidth), anyone can help the network by running one. Tor relays only generate encrypted traffic to other Tor relays, and risk of running one relay is even lower than, let's say, a BitTorrent client. All you need is 5 lines of /etc/torrc, but better to tune the networking stack first.

2. Tor Project does not run any Tor nodes(x), most operators are enthusiasts, others are NGOs and privacy service providers doing a charity. If you read the [tor-relays] mailing list, you can see the people are just like those who run their personal email servers. Enthusiasts consist the people who are both networking hobbyist (understand networking, BGP, also familiar with network/server providers(x) around the world, for getting the maximum bandwidth, OVH, anyone?), and privacy enthusiasts (who know what is public key cryptography, uses GnuPG, follow security news, etc). There are lots of networking hobbyist (okay, not too many), and privacy enthusiasts. But only those people who have BOTH the hobbies, would eventually find their way to the [tor-relays] community, a small number.

2a. You see, the major obstacle of the growth is lack of publicity, and misunderstanding of Tor relays/exits. In 2014, EFF started a "Tor Challenge", and resulted a surge of 1,700 new nodes. Most of the nodes are STILL ONLINE (and probably being forgotten and hence outdated...). The speed of the Tor network has increased significantly due to the growth of interest since 2013, but more relays are always needed, currently there are less than 7000 nodes. Do you want to run? Start from https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

3. Tor almost uses a rolling release model. The development pace is fast (but developers are not too many, need more), you can see Alpha versions being released almost every week. And they are more like a "mainline" version rather than a "alpha" version, and most of the time these "alpha" is already stable enough for casual uses. After the next alpha series is released, the current alpha is promoted to the "stable" series. This release model has some problems with traditional Linux/UNIX distros. For example, the Tor version in Debian (not Tor's) and OpenBSD's official repository is ALWAYS outdated by an entire series, since it has been freezed since distro's release date. Recently Tor just made another release, renders lots of current server being completely outdated.

4. Running a Tor Exit generally requires more cares of the servers, routinely respond to abuse mails, diagnose server problems and optimize performance. I haven't check, but I guess only a small percentage of these outdated versions are Exit.

4a. Running a relay is easy, most relay operators set up their servers in a fire-and-forgot basis, the servers are barely being touched anymore, once it has been configured and running correctly. Once the relays are up, many people simply forgot their existence at all, except they pay the bill. Just like many people's email server... And it's hard to contract many of them due to its decentralized nature, and most people don't actively follow [tor-relays] mailing list. Many careless operators also don't actively check their contract emails. Few of them even don't bother to leave contract information, or name their nodes (default: i_didnt_edit_config)...

5. Because Tor releases often, occasionally some people don't want to deploy updates until the next major maintenance reboot, because they don't want to lose the high uptime and large traffic they've waited to get for months (for new nodes, Tor traffic reaches to the maximum only after 3 weeks of continuous operation)...

TLDR, I guess automatic update is the solution, since the update is already signed. Also, we may need to make running Tor relay a more interactive process.

(x) Even authoritative servers are contributed to well-known members of the developer community, in a individual basis. (x) But don't use OVH for your new Tor relays, it's already the largest network of Tor nodes thanks to the cheap bandwidth.

Given the project's goals, TOR cannot operate release versioning, interoperability, and backward compatibility like a "normal" open source project.

Old versions need to be something akin to a burnable one-time-pad, that gets burnt when deemed more vulnerable than it's up-versioned, more secure replacement.

In many ways, this kind of sucks as an idea, but in pragmatic terms, I just really wouldn't want idiots relaying traffic I'd feel paranoid about, in ways that'd cause me to lose sleep at night.

That said, I don't even think the routing protocol has honest merit. The idea that you should place an all-consuming degree of trust in the honor system surrounding exit node operators having total access to plain-text traffic is beyond-the-pale in its stupidity.

No one can field a satisfactory answer for me, regarding why it's okay that exit node operators have access to plain-text traffic.

  Oh, because traffic analysis 
  is hard, and most exit node 
  operators are amateur hobbyists.

  That's just the way it works.
  You can't make TOR work any
  other way.

Okay, but that's not what TOR is trying to accomplish.