* Nick Mathewson <nickm@xxxxxxxxxxxxx> [060828 19:07]: > On Mon, Aug 28, 2006 at 09:34:38AM +0200, Christian Kellermann wrote: > > Hi, > > > > * Nick Mathewson <nickm@xxxxxxxxxxxxx> [060828 04:44]: > > > Another note: if people want to continue running these checks against > > > exits (and I hope you do!) I'd suggest you keep what, exactly, you're > > > checking for a secret until *after* you run each round of tests. Then > > > announce the results, release the source, and think of more stuff to > > > test for. Releasing the source will help other people check out > > > whether the network is behaving correctly, but keeping mum about what > > > you're checking for will keep dishonest/broken people from changing > > > their behavior before you can find them out. > > > > That security by obscurity approach won't work. If someone trys to > > attack the tor network we should assume that this person knows what > > he/she is doing. So keeping the test method a secret will hinder the > > good guys from making sure that this old attack does not persist any > > more. > [...] > > Errr. I'm afraid I can't agree here. The term "security through > obscurity" is generally reserved for attempts to keep a vulnerability > secret in hopes that attackers won't notice it. You are correct that > such approaches aren't stable, but that's not what I was advocating. > Oh, I've misunderstood your point then. Apologies for that. > Instead, I was suggesting that if you come up with a way to check for > a previously non-checked attack, it makes sense to run the scan before > you announce the scan. Otherwise, you're giving people notice that an > attack that they were (possibly) previously getting away will soon be > detected. Once you've got initial results, it makes more sense to > distribute the scanning code so others can improve it. I still don't see the difference of this approach compared to the usual implementation cycle with tor. Maybe there is none after all? As soon as you implement checks in tor, people will know what to look out for. I assumed that you indeed do some testing before incorporating such tests. In this thread's case, saying "I've found some way to detect man in the middle attacks" won't make an attacker more alert than a svn checkin message, would it? I am sure we both agree, that it is always better to test a method before publishing it, avoiding confusion about what is possible and what is just bla bla... Thanks for clearing things up, Christian -- You may use my gpg key for replies: pub 1024D/47F79788 2005/02/02 Christian Kellermann (C-Keen)
Attachment:
pgpdoBM9xOJVx.pgp
Description: PGP signature