[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Automatic vulnerability scanning of Tor Network?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
From: Robin Kipp <mlists@xxxxxxxxxxxxxx>
Date: Tue, 20 Dec 2011 20:14:08 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 20 Dec 2011 14:14:27 -0500
In-reply-to: <4EF0D586.7040305@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4EF04331.20708@xxxxxxxxxxxxxxx> <CAD8GWstvNas1A8oqPUmruHGFSHvPkGaER+3WdjHa910ZZoqC-w@xxxxxxxxxxxxxx> <4EF0D586.7040305@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Hi there,
you know, I'm definitely not someone deeply involved in the Tor project, its development, maintenance and all that. However, from my experience, I've always thought that everyone donating a relay or exit node to the network is seen as "potentially helpful" and not as a "potential security risk". In essence, the idea you just proposed would completely turn this around. No, I honestly don't want some outside individual to audit my security. If I want my security to be audited, I'm gonna do that all by myself - both from outside and from inside of my network. Also, one thing that makes Tor so great is its decentralized infrastructure. Sure, there are some databases that contain the IPs of at least all exit nodes, but there's no central way of shutting them down. So, what you want to do is to gather info on security vulnerabilities for all Tor nodes, and then store them in some kind of CENTRAL database, which would have to be inaccessible to the public (thus taking away any kind
of transparency). Now, imagine that central database gets hacked and the sec assessments become accessible to a party with a hostile view on the Tor network. That party could then go ahead and launch targeted attacks on all kinds of security holes found in all nodes, thus making it easy to take out probably a large fraction of the Tor network.
Look, go ahead, take that idea and throw it in the trash. Even better, flush it down the toilet - because, to be honest, I think that even if you recycle that stuff, nothing good is ever gonna come out.
Robin
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Fabio Pietrosanti (naif)
- Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Lee
- Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Fabio Pietrosanti (naif)

Prev by Author: Re: [tor-talk] problem with blutmagie network status site after upgrading to tor-0.2.3.10-alpha
Next by Author: Re: [tor-talk] How important is it that the MyFamily option be set correctly?
Previous by thread: Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
Next by thread: Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
Index(es):
- Author
- Thread