Re: Torbutton Documentation - Adversary Capabilities. - fork: Normalization of XHR requests

[Paul Syverson <syverson@xxxxxxxxxxxxxxxx>]

On Thu, Jul 15, 2010 at 12:53:50AM +0100, Anon Mus wrote:
> Paul Syverson wrote:
>> On Tue, Jul 13, 2010 at 05:30:27PM +0100, Anon Mus wrote:
>>   
>>> Paul Syverson wrote:
>>>     
>> And just as there is no such thing as a secure system---only systems
>> secure against a given adversary conducting a given class of attack
>> provided that the implementation, deployment and environment satisfy
>> certain assumptions, so to there is no such thing as an anonymous
>> system. In that sense, the answer is no, "anonymous" should not mean
>> anonymous, or rather it depends what _you_ mean by anonymous and a
>> whole bunch of other things that must be stated.
>>
>>   
>
> Well if is your attitude,

This is not attitude; it's an explanation of science. It's how
'secure' is understood by anyone that I know who works on security
analysis and design from those who write the textbooks on computer
security to those who hack, from those who try to secure major defense
command and control systems to those who try to make secure web
browsers to protect consumers against phishing.

> then why have Tor in the first place?

To protect communication. And Tor does that pretty much better than
anything else available. (The professional philosopher in me feels
obligated to acknowledge that there are adversaries and contexts for
which other systems are more secure, but I believe that they are less
secure in ways that are significant and lack pathways to change that,
unlike Tor.)  And lots of us are working as hard as we can to make it
better still.

> Seems to me you need to pull over and let those who are interested
> in making Tor secure against Timing Attacks take the road. That way
> Tor will at least be on the road to more being more secure than it
> is now.
>

Tor is on the road to being more secure now. I have tried to point you
to the research in the area of timing attacks that is being done. I
reiterate that there is no evidence to date that the sorts of things
you are proposing actually work. That is not to say we shouldn't keep
looking at timing attack resistance as a research question. But it is
still very unproven research. I think I have taken this as far as
anyone, and it's still a long way from practical. But having worked on
it and many other aspects for a long time, there are many things that
can be and are being done---also research that will lead to
improvements IMO long before timing-attack countermeasures ever
produce anything but much larger overhead, much smaller anonymity sets
and thus worse anonymity (less entropy if you prefer). Why are you so
focused on timing attacks?  There's plenty of positive changes to work
on where the expected payoff is better.

> Why get up in the morning?
>

To make better Tor (amongst other things).

aloha,
paul
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/