[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] [Freedombox-discuss] Tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] [Freedombox-discuss] Tor
From: Eugen Leitl <eugen@xxxxxxxxx>
Date: Mon, 7 Oct 2013 09:12:19 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 07 Oct 2013 03:26:19 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

----- Forwarded message from Tim Retout <diocles@xxxxxxxxxx> -----

Date: Sun, 06 Oct 2013 23:20:42 +0100
From: Tim Retout <diocles@xxxxxxxxxx>
To: freedombox-discuss <freedombox-discuss@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: [Freedombox-discuss] Tor
Message-ID: <1381098042.12011.36.camel@air>
X-Mailer: Evolution 3.8.5-2

Hi all,

I have been thinking about Tor some more, especially in light of
Friday's story:

http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption

My impression is that Tor itself comes out reasonably well from what we
know, but governments will try to exploit any browser vulnerabilities,
and are running their own Tor nodes.

I still believe it's not a good idea to be routing unencrypted traffic
through Tor, and you need to be checking the certificates for the
encrypted traffic.  Browser plugins are risky too.

I'm also worried about DNS.  In order to properly anonymize your web
browsing, all DNS requests need to go through Tor - but right now most
sites don't use DNSSEC afaik, so are vulnerable to a MITM attack at that
level.

By the way, this page explains why you shouldn't run DNS for non-Tor
browsing over TorDNS:

https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver

With all the above, I think we are a long way from being able to provide
safe web browsing over Tor to non-technical users.  At least, not
without getting them to use a separate browser (probably TBB).

However, I do like the idea of running a Tor relay (not an exit node) by
default on Freedombox.  Just don't use it for web browsing!  SSH and
SSL-encrypted IRC are possible uses - do the DNS lookups over Tor, and
check the identity of the other end properly.

HTTPS could work, but the DNS requests (and any plain HTTP resources
required) would have to go over non-Tor anyway, so I doubt there's much
point from an anonymity point of view.

-- 
Tim Retout <diocles@xxxxxxxxxx>

_______________________________________________
Freedombox-discuss mailing list
Freedombox-discuss@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] [Freedombox-discuss] Tor
  - From: Graham Todd

Prev by Author: Re: [tor-talk] Silk Road taken down by FBI
Next by Author: Re: [tor-talk] best distro to use Tor
Previous by thread: Re: [tor-talk] Tor Stymies NSA- great article, Good job Tor developers and review staff!
Next by thread: Re: [tor-talk] [Freedombox-discuss] Tor
Index(es):
- Author
- Thread