Browse code

Corrected the FAQ entry 'What applications can I use with Tor'.

Matt Pagan authored on 26/08/2013 10:16:03
Showing 1 changed files
... ...
@@ -27,8 +27,12 @@ proxies?</a></li>
27 27
     <li><a href="#SupportMail">How can I get support?</a></li>
28 28
     <li><a href="#Forum">Is there a Tor forum?</a></li>
29 29
     <li><a href="#WhySlow">Why is Tor so slow?</a></li>
30
+    <li><a href="#FileSharing">How can I share files anonymously through Tor?</a></li>
31
+    <li><a href="#OutboundPorts">Do I have to open all these outbound ports on my firewall?</a></li>
30 32
     <li><a href="#Funding">What would The Tor Project do with more
31 33
     funding?</a></li>
34
+    <li><a href="#IsItWorking">How can I tell if Tor is working, and that my connections really are anonymized?</a></li>
35
+    <li><a href="#FTP">How do I use my browser for ftp with Tor?</a></li>
32 36
     <li><a href="#Metrics">How many people use Tor? How many relays or
33 37
     exit nodes are there?</a></li>
34 38
     <li><a href="#SSLcertfingerprint">What are your SSL certificate
... ...
@@ -74,6 +78,7 @@ unsafe?</a></li>
74 78
     <li><a href="#GoogleCAPTCHA">Google makes me solve a CAPTCHA or
75 79
 tells
76 80
     me I have spyware installed.</a></li>
81
+    <li><a href="#ForeignLanguages">Why does Google show up in foreign languages?</li></a>
77 82
     <li><a href="#GmailWarning">Gmail warns me that my account may have
78 83
     been compromised.</a></li>
79 84
     </ul>
... ...
@@ -84,6 +89,7 @@ tells
84 89
     that mean?</a></li>
85 90
     <li><a href="#Logs">How do I set up logging, or see Tor's
86 91
     logs?</a></li>
92
+    <li><a href="#LogLevel">What log level should I use?</a></li>
87 93
     <li><a href="#DoesntWork">Tor is running, but it's not working
88 94
     correctly.</a></li>
89 95
     <li><a href="#VidaliaPassword">Tor/Vidalia prompts for a password at
... ...
@@ -93,6 +99,10 @@ country)
93 99
     are used for entry/exit?</a></li>
94 100
     <li><a href="#FirewallPorts">My firewall only allows a few outgoing
95 101
     ports.</a></li>
102
+    <li><a href="#ExitPorts">Is there a list of default exit ports?</a></li>
103
+    <li><a href="#SocksAndDNS">How do I check if my application that uses SOCKS is leaking DNS requests?</a></li>
104
+    <li><a href="#DifferentComputer">I want to run my Tor client on a different computer than my applications.</a></li>
105
+    <li><a href="#ServerClient">Can I install Tor on a central server, and have my clients connect to it?</a></li>
96 106
     </ul>
97 107
 
98 108
     <p>Running a Tor relay:</p>
... ...
@@ -120,6 +130,9 @@ memory?</a></li>
120 130
     <li><a href="#KeyManagement">Tell me about all the keys Tor
121 131
 uses.</a></li>
122 132
     <li><a href="#EntryGuards">What are Entry Guards?</a></li>
133
+    <li><a href="#ChangePaths">How often does Tor change its paths?</a></li>
134
+    <li><a href="#CellSize">Tor uses hundreds of bytes for every IRC line. I can't afford that!</a></li>
135
+    <li><a href="#OutboundConnections">Why does netstat show these outbound connections?</a></li>
123 136
     </ul>
124 137
 
125 138
     <p>Alternate designs that we don't do (yet):</p>
... ...
@@ -131,6 +144,12 @@ packets,
131 144
     not just TCP packets.</a></li>
132 145
     <li><a href="#HideExits">You should hide the list of Tor relays,
133 146
     so people can't block the exits.</a></li>
147
+    <li><a href="#ChoosePathLength">You should let people choose their path length.</a></li>
148
+    <li><a href="#SplitEachConnection">You should split each connection over many paths.</a></li>
149
+    <li><a href="#UnallocatedNetBlocks">Your default exit policy should block unallocated net blocks too.</a></li>
150
+    <li><a href="#BlockWebsites">Exit policies should be able to block websites, not just IP addresses.</a></li>
151
+    <li><a href="#BlockContent">You should change Tor to prevent users from posting certain content.</a></li>
152
+    <li><a href="#IPv6">Tor should support IPv6.</a></li>
134 153
     </ul>
135 154
 
136 155
     <p>Abuse:</p>
... ...
@@ -273,45 +292,15 @@ encryption, what data you're sending to the destination.</dd>
273 292
 can I use with Tor?</a></h3>
274 293
 
275 294
     <p>
276
-    There are two pieces to "Torifying" a program: connection-level
277
-anonymity
278
-    and application-level anonymity. Connection-level anonymity focuses
279
-on
280
-    making sure the application's Internet connections get sent through
281
-Tor.
282
-    This step is normally done by configuring
283
-    the program to use your Tor client as a "socks" proxy, but there are
284
-    other ways to do it too. For application-level anonymity, you need
285
-to
286
-    make sure that the information the application sends out doesn't
287
-hurt
288
-    your privacy. (Even if the connections are being routed through Tor,
289
-you
290
-    still don't want to include sensitive information like your name.)
291
-This
292
-    second step needs to be done on a program-by-program basis, which is
293
-    why we don't yet recommend very many programs for safe use with Tor.
294
-    </p>
295
-
296
-    <p>
297
-    Most of our work so far has focused on the Firefox web browser. The
298
-    bundles on the <a href="<page download/download>">download page</a>
299
-automatically
300
-    install the <a href="<page torbutton/index>">Torbutton Firefox
301
-    extension</a> if you have Firefox installed. As of version 1.2.0,
302
-    Torbutton now takes care of a lot of the connection-level and
303
-    application-level worries.
295
+    If you want to use Tor with a web browser, we provide the Tor Browser Bundle, which includes everything you need to browse the web safely using Tor. If you want to use another web browser with Tor, see <a href="#TBBOtherBrowser">Other web browsers</a>. 
304 296
     </p>
305
-
306 297
     <p>
307 298
     There are plenty of other programs you can use with Tor,
308 299
     but we haven't researched the application-level anonymity
309
-    issues on them well enough to be able to recommend a safe
300
+    issues on all of them well enough to be able to recommend a safe
310 301
     configuration. Our wiki has a list of instructions for <a
311 302
     href="<wiki>doc/TorifyHOWTO">Torifying
312
-    specific applications</a>. There's also a <a
313
-    href="<wiki>doc/SupportPrograms">list
314
-    of applications that help you direct your traffic through Tor</a>.
303
+    specific applications</a>.
315 304
     Please add to these lists and help us keep them accurate!
316 305
     </p>
317 306
 
... ...
@@ -608,6 +597,15 @@ money to the
608 597
 
609 598
     <hr>
610 599
 
600
+    <a id="FileSharing"></a>
601
+    <h3><a class="anchor" href="#FileSharing">How can I share files anonymously through Tor?"</a></h3>
602
+
603
+    <p>
604
+    File sharing (peer-to-peer/P2P) is widely unwanted in the Tor network and exit nodes are configured to block file sharing traffic by default. Tor is not really designed for it and file sharing through Tor excessively wastes everyone's bandwidth (slows down browsing). Also, Bittorrent over Tor <a href="https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea">is not anonymous</a>!
605
+    </p>
606
+
607
+    <hr>
608
+
611 609
     <a id="Funding"></a>
612 610
     <h3><a class="anchor" href="#Funding">What would The Tor Project do
613 611
 with more funding?</a></h3>
... ...
@@ -737,11 +735,55 @@ executive
737 735
 
738 736
     <hr>
739 737
 
738
+     <a id="OutboundPorts"></a>
739
+    <h3><a class="anchor" href="#OutboundPorts">Do I have to open all these outbound ports on my firewall?</a></h3>
740
+
741
+    <p>
742
+    Tor may attempt to connect to any port that is advertised in the directory as an ORPort (for making Tor connections) or a DirPort (for fetching updates to the directory). There are a variety of these ports, but many of them are running on 80, 443, 9001, and 9030.
743
+    </p>
744
+    <p>
745
+So as a client, you could probably get away with opening only those four ports. Since Tor does all its connections in the background, it will retry ones that fail, and hopefully you'll never have to know that it failed, as long as it finds a working one often enough. However, to get the most diversity in your entry nodes -- and thus the most security -- as well as the most robustness in your connectivity, you'll want to let it connect to all of them.
746
+    </p>
747
+    <p>
748
+If you really need to connect to only a small set of ports, see the FAQ entry on firewalled ports.
749
+    </p>
750
+    <p>
751
+Note that if you're running as a Tor relay, you must allow outgoing connections to every other relay, and to anywhere your exit policy advertises that you allow. The cleanest way to do that is to simply allow all outgoing connections at your firewall. If you don't, clients will try to use these connections and things won't work. 
752
+    </p>
753
+    
754
+    <hr>
755
+    
756
+    <a id="IsItWorking"></a>
757
+    <h3><a class="anchor" href="#IsItWorking">How can I tell if Tor is working, and that my connections really are anonymized?</a></h3>
758
+
759
+    <p>
760
+    There are sites you can visit that will tell you if you appear to be coming through the Tor network. Try the <a href="https://check.torproject.org">Tor Check</a> site and see whether it thinks you are using Tor or not.
761
+    </p>
762
+    <p>
763
+If that site is down, you can still test, but it will involve more effort: <a>http://ipid.shat.net</a> and <a>http://www.showmyip.com/</a> will tell you what your IP address appears to be, but you'll need to know your current IP address so you can compare and decide whether you're using Tor correctly.
764
+    </p>
765
+    <p>
766
+To learn your IP address on OS X, Linux, BSD, etc, run "ifconfig". On Windows, go to the Start menu, click Run and enter "cmd". At the command prompt, enter "ipconfig /a".
767
+    </p>
768
+    <p>
769
+If you are behind a NAT or firewall, though, your IP address will be within the range of 10.XXX.XXX.XXX, 192.168.XXX.XXX, or 172.16.XXX.XXX - 172.31.XXX.XXX, which is not your public IP address. In this case, you should check your IP address with one of the sites above without using Tor, and then check again using Tor to see whether your IP address has changed. 
770
+    </p>
771
+    
772
+    <hr>
773
+    
774
+    <a id="FTP"></a>
775
+    <h3><a class="anchor" href="#FTP">How do I use my browser for ftp with Tor?
776
+    </a></h3>
777
+
778
+    <p>Use the Tor Browser Bundle. If you want a separate application for an ftp client, we've heard good things about  FileZilla for Windows. You can configure it to point to Tor as a "socks4a" proxy on "localhost" port "9050". </p>
779
+    <hr>
780
+    
740 781
     <a id="Metrics"></a>
741 782
     <h3><a class="anchor" href="#Metrics">How many people use Tor? How
742 783
 many relays or exit nodes are there?</a></h3>
743 784
 
744
-    <p>All this and more about measuring Tor can be found at the <a
785
+    <p>
786
+    All this and more about measuring Tor can be found at the <a
745 787
     href="https://metrics.torproject.org/">Tor Metrics Portal</a>.</p>
746 788
     <hr>
747 789
 
... ...
@@ -1164,6 +1206,26 @@ DuckDuckGo, ixquick, or Bing.
1164 1206
 
1165 1207
 <hr />
1166 1208
 
1209
+<a id="ForeignLanguages"></a>
1210
+<h3><a class="anchor" href="#ForeignLanguages">
1211
+Why does Google show up in foreign languages?</a></h3>
1212
+
1213
+<p>
1214
+ Google uses "geolocation" to determine where in the world you are, so it can give you a personalized experience. This includes using the language it thinks you prefer, and it also includes giving you different results on your queries.
1215
+</p>
1216
+<p>
1217
+If you really want to see Google in English you can click the link that provides that. But we consider this a feature with Tor, not a bug --- the Internet is not flat, and it in fact does look different depending on where you are. This feature reminds people of this fact. The easy way to avoid this "feature" is to use <a>http://google.com/ncr</a>.
1218
+</p>
1219
+<p>
1220
+Note that Google search URLs take name/value pairs as arguments and one of those names is "hl". If you set "hl" to "en" then Google will return search results in English regardless of what Google server you have been sent to. On a query this looks like: http://google.com/search?q=...&amp;hl=en&amp;..g
1221
+</p>
1222
+<p>
1223
+In Firefox you can search for the google.src file and add the line &lt;input name="hl" value="en"&gt;g to it. Then restart Firefox and it will automatically add the "hl=en" name/value pair to all queries made from the search bar so you will get English results regardless of which Google server you have been sent to. Note that this file is actually 'hidden' as part of the application container on Macs. To get to this file on a Mac you have to right click on the Firefox application icon and select "Show Package Contents" then navigate to Contents/MacOS/searchplugins.
1224
+</p>
1225
+<p>
1226
+Another method is to simply use your  country code for accessing Google. This can be google.be, google.de, google.us and so on. You can also set your language by first selecting it in the Language Tools section, search for something simple. Then extract the language from the URL. In this example, we'll choose Hebrew:  <a>http://www.google.com/search?lr=lang_g'''iw</a>. Next, use that string in the url:  <a>http://google.com/intl/iw/</a>. This can obviously be set as your homepage or bookmarked if necessary. 
1227
+</pb>
1228
+
1167 1229
 <a id="GmailWarning"></a>
1168 1230
 <h3><a class="anchor" href="#GmailWarning">Gmail warns me that my
1169 1231
 account
... ...
@@ -1345,6 +1407,34 @@ and filename for your Tor log.
1345 1407
 
1346 1408
 <hr>
1347 1409
 
1410
+
1411
+<a id="LogLevel"></a>
1412
+<h3><a class="anchor" href="#LogLevel">What log level should I use?</a></h3>
1413
+
1414
+<p>
1415
+There are five log levels (also called "log severities") you might see in Tor's logs:
1416
+</p>
1417
+
1418
+<ul>
1419
+    <li>"err": something bad just happened, and we can't recover. Tor will exit.</li>
1420
+    <li>"warn": something bad happened, but we're still running. The bad thing might be a bug in the code, some other Tor process doing something unexpected, etc. The operator should examine the message and try to correct the problem.</li>
1421
+    <li>"notice": something the operator will want to know about.</li>
1422
+    <li>"info": something happened (maybe bad, maybe ok), but there's nothing you need to (or can) do about it.</li>
1423
+    <li>"debug": for everything louder than info. It is quite loud indeed.</li> 
1424
+</ul>
1425
+
1426
+<p>
1427
+Alas, some of the warn messages are hard for ordinary users to correct -- the developers are slowly making progress at making Tor automatically react correctly for each situation.
1428
+</p>
1429
+
1430
+<p>
1431
+We recommend running at the default, which is "notice". You will hear about important things, and you won't hear about unimportant things.
1432
+</p>
1433
+
1434
+<p>
1435
+Tor relays in particular should avoid logging at info or debug in normal operation, since they might end up recording sensitive information in their logs. 
1436
+</p>
1437
+
1348 1438
 <a id="DoesntWork"></a>
1349 1439
 <h3><a class="anchor" href="#DoesntWork">I installed Tor but it's not
1350 1440
 working.</a></h3>
... ...
@@ -1545,6 +1635,36 @@ use the ReachableAddresses config options, e.g.:
1545 1635
 
1546 1636
 <hr>
1547 1637
 
1638
+    <a id="ExitPorts"></a>
1639
+    <h3><a class="anchor" href="#ExitPorts">Is there a list of default exit ports?</a></h3>
1640
+    <p>
1641
+The default open ports are listed below but keep in mind that, any port or ports can be opened by the relay operator by configuring it in torrc or modifying the source code. But the default according to src/or/policies.c from the source code release tor-0.2.4.16-rc is: 
1642
+    </p>
1643
+    <pre>
1644
+  reject 0.0.0.0/8
1645
+  reject 169.254.0.0/16
1646
+  reject 127.0.0.0/8
1647
+  reject 192.168.0.0/16
1648
+  reject 10.0.0.0/8
1649
+  reject 172.16.0.0/12
1650
+  reject *:25
1651
+  reject *:119
1652
+  reject *:135-139
1653
+  reject *:445
1654
+  reject *:563
1655
+  reject *:1214
1656
+  reject *:4661-4666
1657
+  reject *:6346-6429
1658
+  reject *:6699
1659
+  reject *:6881-6999
1660
+  accept *:*
1661
+    </pre>
1662
+    <p>
1663
+    A relay will block access to its own IP address, as well local network IP addresses. A relay always blocks itself by default. This prevents Tor users from accidentally accessing any of the exit operator's local services. 
1664
+    </p>
1665
+
1666
+    <hr>
1667
+
1548 1668
     <a id="RelayFlexible"></a>
1549 1669
     <h3><a class="anchor" href="#RelayFlexible">How stable does my relay
1550 1670
 need to be?</a></h3>
... ...
@@ -1597,7 +1717,7 @@ too.
1597 1717
 
1598 1718
     <hr>
1599 1719
 
1600
-    <a id="RunARelayBut"></a>
1720
+       <a id="RunARelayBut"></a>
1601 1721
     <a id="ExitPolicies"></a>
1602 1722
     <h3><a class="anchor" href="#ExitPolicies">I'd run a relay, but I
1603 1723
 don't want to deal with abuse issues.</a></h3>
... ...
@@ -1655,6 +1775,45 @@ users
1655 1775
 
1656 1776
     <hr>
1657 1777
 
1778
+    <a id="DifferentComputer"></a>
1779
+    <h3><a class="anchor" href="#DifferentComputer">I want to run my Tor client on a different computer than my applications.</a></h3>
1780
+    <p>
1781
+    By default, your Tor client only listens for applications that connect from localhost. Connections from other computers are refused. If you want to torify applications on different computers than the Tor client, you should edit your torrc to define SocksListenAddress 0.0.0.0 g and then restart (or hup) Tor. If you want to get more advanced, you can configure your Tor client on a firewall to bind to your internal IP but not your external IP.  
1782
+    </p>
1783
+
1784
+    <hr>
1785
+
1786
+    <a id="ServerClient"></a>
1787
+    <h3><a class="anchor" href="#ServerClient">Can I install Tor on a central server, and have my clients connect to it?</a></h3>
1788
+    <p>
1789
+     Yes. Tor can be configured as a client or a relay on another machine, and allow other machines to be able to connect to it for anonymity. This is most useful in an environment where many computers want a gateway of anonymity to the rest of the world. However, be forwarned that with this configuration, anyone within your private network (existing between you and the Tor client/relay) can see what traffic you are sending in clear text. The anonymity doesn't start until you get to the Tor relay. Because of this, if you are the controller of your domain and you know everything's locked down, you will be OK, but this configuration may not be suitable for large private networks where security is key all around.
1790
+    </p>
1791
+    <p>
1792
+Configuration is simple, editing your torrc file's SocksListenAddress according to the following examples:
1793
+    </p>
1794
+    <pre>
1795
+  SocksListenAddress 127.0.0.1 #This provides local interface access only, needs SocksPort to be greater than 0
1796
+  SocksListenAddress 192.168.x.x:9100 #This provides access to Tor on a specified interface
1797
+  SocksListenAddress 0.0.0.0:9100 #Accept from all interfaces
1798
+    </pre>
1799
+    <p>
1800
+You can state multiple listen addresses, in the case that you are part of several networks or subnets.
1801
+    </p>
1802
+    <pre>
1803
+  SocksListenAddress 192.168.x.x:9100 #eth0
1804
+  SocksListenAddress 10.x.x.x:9100 #eth1
1805
+    </pre>
1806
+    <p>
1807
+After this, your clients on their respective networks/subnets would specify a socks proxy with the address and port you specified SocksListenAddress to be. 
1808
+    </p>
1809
+    <p>
1810
+Please note that the SocksPort configuration option gives the port ONLY for localhost (127.0.0.1). When setting up your SocksListenAddress(es), you need to give the port with the address, as shown above.
1811
+    <p>
1812
+If you are interested in forcing all outgoing data through the central Tor client/relay, instead of the server only being an optional proxy, you may find the program iptables (for *nix) useful. 
1813
+    </p>
1814
+
1815
+    <hr>
1816
+
1658 1817
     <a id="RelayOrBridge"></a>
1659 1818
     <h3><a class="anchor" href="#RelayOrBridge">Should I be a normal
1660 1819
 relay or bridge relay?</a></h3>
... ...
@@ -1771,13 +1930,11 @@ html">release
1771 1930
 use
1772 1931
     this feature.</li>
1773 1932
 
1774
-    <li>If you're running on Solaris, Tor is probably
1775
-    forking separate processes for each CPUWorker rather
1776
-    than using threads. Try explicitly configuring Tor with
1777
-    <tt>--enable-threads</tt>, but be ready for the lockups some
1778
-    people reported back in 2005. Also consider running your relay on <a
1779
-    href="https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#WhydoesntmyWindowsorotherOSTorrelayrunwell">an
1780
-    operating system where Tor works better</a>.</li>
1933
+    <li>If you're running on Solaris, OpenBSD, NetBSD, or
1934
+    old FreeBSD, Tor is probably forking separate processes
1935
+    rather than using threads. Consider switching to a <a
1936
+    href="<wikifaq>#WhydoesntmyWindowsorotherOSTorrelayrunwell">better
1937
+    operating system</a>.</li>
1781 1938
 
1782 1939
     <li>If you still can't handle the memory load, consider reducing the
1783 1940
     amount of bandwidth your relay advertises. Advertising less
... ...
@@ -2014,6 +2171,37 @@ we move to a "directory guard" design as well.
2014 2171
 
2015 2172
     <hr>
2016 2173
 
2174
+    <a id="ChangePaths"></a>
2175
+    <h3><a class="anchor" href="#ChangePaths">How often does Tor change its paths?</a></h3>
2176
+    <p>
2177
+     Tor will reuse the same circuit for new TCP streams for 10 minutes, as long as the circuit is working fine. (If the circuit fails, Tor will switch to a new circuit immediately.)
2178
+    </p>
2179
+    <p>
2180
+But note that a single TCP stream (e.g. a long IRC connection) will stay on the same circuit forever -- we don't rotate individual streams from one circuit to the next. Otherwise an adversary with a partial view of the network would be given many chances over time to link you to your destination, rather than just one chance.
2181
+    </p>
2182
+
2183
+    <a id="OutboundConnections"></a>
2184
+    <h3><a class="anchor" href="#OutboundConnections">Why does netstat show these outbound connections?</a></h3>
2185
+    <p>
2186
+    Because that's how Tor works. It holds open a handful of connections so there will be one available when you need one. 
2187
+    </p>
2188
+
2189
+    <hr>
2190
+
2191
+    <a id="CellSize"></a>
2192
+    <h3><a class="anchor" href="#CellSize">Tor uses hundreds of bytes for every IRC line. I can't afford that!</a></h3>
2193
+    <p>
2194
+     Tor sends data in chunks of 512 bytes (called "cells"), to make it harder for intermediaries to guess exactly how many bytes you're communicating at each step. This is unlikely to change in the near future -- if this increased bandwidth use is prohibitive for you, I'm afraid Tor is not useful for you right now.
2195
+    </p>
2196
+    <p>
2197
+The actual content of these fixed size cells is <a href="https://gitweb.torproject.org/torspec.git/blob/HEAD:/tor-spec.txt">documented in the main Tor spec</a>, section 3.
2198
+    </p>
2199
+    <p>
2200
+We have been considering one day adding two classes of cells -- maybe a 64 byte cell and a 1024 byte cell. This would allow less overhead for interactive streams while still allowing good throughput for bulk streams. But since we want to do a lot of work on quality-of-service and better queuing approaches first, you shouldn't expect this change anytime soon (if ever). However if you are keen, there are a couple of <a href="https://www.torproject.org/getinvolved/volunteer.html.en#Research">research ideas</a> that may involve changing the cell size. 
2201
+    </p>
2202
+
2203
+    <hr>
2204
+
2017 2205
     <a id="EverybodyARelay"></a>
2018 2206
     <h3><a class="anchor" href="#EverybodyARelay">You should make every
2019 2207
 Tor user be a relay.</a></h3>
... ...
@@ -2058,9 +2246,7 @@ though:
2058 2246
     <p>
2059 2247
     First, we need to make Tor stable as a relay on all common
2060 2248
     operating systems. The main remaining platform is Windows,
2061
-    and we're mostly there. See Section 4.1 of <a
2062
-
2063
-href="https://www.torproject.org/press/2008-12-19-roadmap-press-release"
2249
+    and we're mostly there. See Section 4.1 of <a href="https://www.torproject.org/press/2008-12-19-roadmap-press-release"
2064 2250
 >our
2065 2251
     development roadmap</a>.
2066 2252
     </p>
... ...
@@ -2231,6 +2417,100 @@ spend rethinking their overall approach to privacy and anonymity.
2231 2417
 
2232 2418
     <hr>
2233 2419
 
2420
+<a id="ChoosePathLength"></a>
2421
+<h3><a class="anchor" href="#ChoosePathLength">You should let people choose their path length.</a></h3>
2422
+<p>
2423
+ Right now the path length is hard-coded at 3 plus the number of nodes in your path that are sensitive. That is, in normal cases it's 3, but for example if you're accessing a hidden service or a ".exit" address it could be 4.
2424
+</p>
2425
+<p>
2426
+ We don't want to encourage people to use paths longer than this -- it increases load on the network without (as far as we can tell) providing any more security. Remember that <a href="https://svn.torproject.org/svn/tor/trunk/doc/design-paper/tor-design.html#subsec:threat-model">the best way to attack Tor is to attack the endpoints and ignore the middle of the path</a>.
2427
+</p>
2428
+<p>
2429
+ And we don't want to encourage people to use paths of length 1 either. Currently there is no reason to suspect that investigating a single relay will yield user-destination pairs, but if many people are using only a single hop, we make it more likely that attackers will seize or break into relays in hopes of tracing users.
2430
+</p>
2431
+<p>
2432
+ Now, there is a good argument for making the number of hops in a path unpredictable. For example, somebody who happens to control the last two hops in your path still doesn't know who you are, but they know for sure which entry node you used. Choosing path length from, say, a geometric distribution will turn this into a statistical attack, which seems to be an improvement. On the other hand, a longer path length is bad for usability. We're not sure of the right trade-offs here. Please write a research paper that tells us what to do. 
2433
+</p>
2434
+
2435
+    <hr>
2436
+
2437
+<a id="SplitEachConnection"></a>
2438
+    <h3><a class="anchor" href="#SplitEachConnection">You should split each connection over many paths.</a></h3>
2439
+
2440
+    <p>
2441
+ We don't currently think this is a good idea. You see, the attacks we're worried about are at the endpoints: the adversary watches Alice (or the first hop in the path) and Bob (or the last hop in the path) and learns that they are communicating.
2442
+    </p>
2443
+    <p>
2444
+If we make the assumption that timing attacks work well on even a few packets end-to-end, then having *more* possible ways for the adversary to observe the connection seems to hurt anonymity, not help it.
2445
+    </p>
2446
+    <p>
2447
+Now, it's possible that we could make ourselves more resistant to end-to-end attacks with a little bit of padding and by making each circuit send and receive a fixed number of cells. This approach is more well-understood in the context of high-latency systems. See e.g. <a href="http://freehaven.net/anonbib/#pet05-serjantov">Message Splitting Against the Partial Adversary by Andrei Serjantov and Steven J. Murdoch</a>.
2448
+    </p>
2449
+    <p>
2450
+But since we don't currently understand what network and padding parameters, if any, could provide increased end-to-end security, our current strategy is to minimize the number of places that the adversary could possibly see.
2451
+    </p>
2452
+
2453
+    <hr>
2454
+
2455
+    <a id="UnallocatedNetBlocks"></a>
2456
+    <h3><a class="anchor" href="#UnallocatedNetBlocks">Your default exit policy should block unallocated net blocks too.</a></h3>
2457
+
2458
+    <p>
2459
+ No, it shouldn't. The default exit policy blocks certain private net blocks, like 10.0.0.0/8, because they might actively be in use by Tor relays and we don't want to cause any surprises by bridging to internal networks. Some overzealous firewall configs suggest that you also block all the parts of the Internet that IANA has not currently allocated. First, this turns into a problem for them when those addresses *are* allocated. Second, why should we default-reject something that might one day be useful?
2460
+    </p>
2461
+    <p>
2462
+Tor's default exit policy is chosen to be flexible and useful in the future: we allow everything except the specific addresses and ports that we anticipate will lead to problems. 
2463
+    </p>
2464
+
2465
+    <hr>
2466
+
2467
+    <a id="BlockWebsites"></a>
2468
+    <h3><a class="anchor" href="#BlockWebsites">Exit policies should be able to block websites, not just IP addresses.</a></h3>
2469
+
2470
+    <p>
2471
+ It would be nice to let relay operators say things like "reject www.slashdot.org" in their exit policies, rather than requiring them to learn all the IP address space that could be covered by the site (and then also blocking other sites at those IP addresses).
2472
+    </p>
2473
+    <p>
2474
+There are two problems, though. First, users could still get around these blocks. For example, they could request the IP address rather than the hostname when they exit from the Tor network. This means operators would still need to learn all the IP addresses for the destinations in question.
2475
+    </p>
2476
+    <p>
2477
+The second problem is that it would allow remote attackers to censor arbitrary sites. For example, if a Tor operator blocks www1.slashdot.org, and then some attacker poisons the Tor relay's DNS or otherwise changes that hostname to resolve to the IP address for a major news site, then suddenly that Tor relay is blocking the news site. 
2478
+    </p>
2479
+
2480
+    <hr>
2481
+
2482
+    <a id="BlockContent"></a>
2483
+    <h3><a class="anchor" href="#BlockContent">You should change Tor to prevent users from posting certain content.</a></h3>
2484
+
2485
+    <p> Tor only transports data, it does not inspect the contents of the connections which are sent over it. In general it's a very hard problem for a computer to determine what is objectionable content with good true positive/false positive rates and we are not interested in addressing this problem.
2486
+    </p>
2487
+    <p>
2488
+Further, and more importantly, which definition of "certain content" could we use? Every choice would lead to a quagmire of conflicting personal morals. The only solution is to have no opinion. 
2489
+    </p>
2490
+
2491
+    <hr>
2492
+
2493
+    <a id="IPv6"></a>
2494
+    <h3><a class="anchor" href="#IPv6">Tor should support IPv6.</a></h3>
2495
+
2496
+    <p>
2497
+     That's a great idea! There are two aspects for IPv6 support that Tor needs. First, Tor needs to support exit to hosts that only have IPv6 addresses. Second, Tor needs to support Tor relays that only have IPv6 addresses.
2498
+    </p>
2499
+    <p>
2500
+The first is far easier: the protocol changes are relatively simple and isolated. It would be like another kind of exit policy.
2501
+    </p>
2502
+    <p>
2503
+The second is a little harder: right now, we assume that (mostly) every Tor relay can connect to every other. This has problems of its own, and adding IPv6-address-only relays adds problems too: it means that only relays with IPv6 abilities can connect to IPv6-address-only relays. This makes it possible for the attacker to make some inferences about client paths that it would not be able to make otherwise.
2504
+    </p>
2505
+    <p>
2506
+There is an  IPv6 exit proposal to address the first step for anonymous access to IPv6 resources on the Internet.
2507
+    </p>
2508
+    <p>
2509
+Full IPv6 support is definitely on our "someday" list; it will come along faster if somebody who wants it does some of the work.
2510
+    </p>
2511
+
2512
+    <hr>
2513
+
2234 2514
     <a id="Criminals"></a>
2235 2515
     <h3><a class="anchor" href="#Criminals">Doesn't Tor enable criminals
2236 2516
 to do bad things?</a></h3>