[mirimir]

As long as you're anonymous enough about it, I don't see why running your own [private bridge] is any less anonymous than using an unpublished bridge, or a snowflake proxy.

An adversary with lots of intercepts could certainly figure it out. But otherwise, how would anyone know?

And at least, it protects you from malicious guards.

Also, your point about violating a residential ISP's ToS is troubling. Because nobody in their right mind ought to be running any sort of Tor relay from home. It's a ~sure way to get your IP address on many blocklists.

And about getting notices, that only happens for exit relays. Not for guards and middle relays.

Edit: Actually, I meant running your own unpublished bridge, not guard. In the bridge torrc:

   ExitRelay 0
   BridgeRelay 1
   BridgeDistribution none
   PublishServerDescriptor 0

And in the client torrc:

   UseBridges 1
   UpdateBridgesFromAuthority 0
   Bridge [transport] IP:ORPort [fingerprint]

[Astarte]

A malicious guard is just a malicious node. It can also be used as some other hop, or there can be non malicious nodes without a guard flag. I think there has been at least one publication taking a closer look at what malicious middle nodes can do.

I'm not familiar with bridges or the snowflake proxy but I think this would work:

Public bridges are public so no one cares about those. Now you run your own private bridge. First of all running your own leads directly back to you. Second it puts you on the list of even more paranoid people. Since you know and connect to that private bridge one can assume you trust that bridge for whatever reason which indicates some kind of "personal" relationship to that bridge.

The private bridge now connects to the second hop. This is a malicious one. The operator sees an IP which does not come from an official relay in the consensus. I don't know if a node knows he is in the middle (at least a guard and exit must know they are at the beginning and end of a chain, i guess?), but if he does he would now know that a private bridge is connecting to it. So you could enumerate private bridges.

If someone runs dozens of nodes, which is actually happening, this looks like a viable option. Correct me if I'm wrong.

[mirimir]

Good questions :)

> First of all running your own leads directly back to you. Second it puts you on the list of even more paranoid people.

It doesn't point to "me", at least in meatspace or even as Mirimir. It points to some anonymous persona, created specifically for that purpose. On its own Whonix instance, through its own nested VPN chain, and using its own multiply mixed Bitcoin. All totally disposable.

And to be clear, I'd use a different anonymous persona for the onion service itself, created specifically for that purpose. With all the features described above.

> Since you know and connect to that private bridge one can assume you trust that bridge for whatever reason which indicates some kind of "personal" relationship to that bridge.

There are numerous private bridges, and many of them have only a few users. Perhaps even just one user.

> The private bridge now connects to the second hop. This is a malicious one. The operator sees an IP which does not come from an official relay in the consensus. I don't know if a node knows he is in the middle (at least a guard and exit must know they are at the beginning and end of a chain, i guess?), but if he does he would now know that a private bridge is connecting to it. So you could enumerate private bridges.

Sure. Authoritarian regimes do that all the time.

But here's the thing. My Tor client will still only use that bridge. So it can't be tricked into using a malicious bridge. And I can change private bridges frequently, if I like. It's not at all hard to configure them.

[hackerfactor1]

First: If you're going to do that, then why bother with Tor? Just get a couple of private cloud boxes and make your own VPN. (You'll be just as secure. Which isn't as secure as Tor, but it's better than nothing.)

Second: "An adversary with lots of intercepts could certainly figure it out." Exactly. If you use Tor properly, then nationstates with virtually infinite resources can't figure it out. (That's why some countries block Tor; if you can't crack it, then block it.) But if you run your own guard, relay, rendezvous, or exit node -- and you're the only person who uses it -- then an adversary with lots of intercepts could certainly figure out who you are.

[mirimir]

I bother with Tor because it's this onion routing network that's pretty large and well used. And maybe even ~secure and ~uncompromised, but counting on that is iffy.

I mistakenly said "running your own guard". What I meant was "running your own bridge". But in practice, that's basically the same.

But it's disingenuous to claim that even using a private guard (which isn't possible, as far as I know) is "just as secure" as a private VPN. Because there are still two other relays in its circuits to introduction and rendezvous points.

It is less anonymous, I admit, but it's also less vulnerable to malicious guards. And from what I'm aware of, malicious guards have deanonymized far more users and onion servers than traffic correlation attacks have.

> If you use Tor properly, then nationstates with virtually infinite resources can't figure it out.

That's just plain wrong. Even the Tor Project admits that.

But in any case, I'd never count on servers remaining uncompromised. I'm very careful to avoid associations with them.

Edit: Here's a little thing that I sometimes do, if I really want to obscure an SSH login or whatever.[0] Basically, I can do a Tor plus VPN based version of the old telnet login chaining thing.

0) https://www.ivpn.net/privacy-guides/onion-ssh-hosts-for-logi...

[Astarte]

>But it's disingenuous to claim that even using a private guard (which isn't possible, as far as I know)

I have been thinking about this for a while, too. There is some Tor fork which allows non-exit nodes to exit. It has been posted on tor-talk a while ago. For a private guard you would need to change the local consensus file and include the private guard. Then you would also need to control the next hop so it recognizes your guard as first hop and connect you to the third hop. I don't see why this won't work in principle.

[mirimir]

Huh. That is an interesting idea.

So you could have Tor exits that aren't published.

That would get around the CAPTCHA plague for Tor users.

Another option that I've considered is IPv6. Relays with both IPv4 and IPv6 must publish their IPv4, in order to get OKed for use. But as far as I know, there's no reason why they couldn't preferentially push exit traffic through IPv6. And indeed, use a different IPv6 address for each circuit.

[marshray]

If you have a way to run a server anonymously, then you could just use that instead of Tor.

[mirimir]

Tor protects the server.

Paying and managing is separate. And yes, also uses Tor, plus nested VPN chains.