[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] security tradeoffs - was Tor and Financial Transparency



At 10:34 PM 8/30/2013 +0000, you wrote:
>On 08/30/2013 10:06 PM, Juan Garofalo wrote:
>
>> At 11:33 AM 8/30/2013 -0400, Paul S. wrote:
>
>SNIP
>
>>> See all the research on the issues trade-offs, threats, designs,
>>> etc. that Tor Project Inc. employees, government employees, 
>>> university and corporate researchers, and lots of others have done 
>>> trying to design for a diverse userbase.
>>> www.freehaven.net/anonbib/ is a fine place to start. If you can
>>> come up with better designs, we would love to have them.
>
>SNIP
>
>> For what it's worth : trying to have a diverse and big user base, and
>> providing security for all users seems to be impossible. You either
>> provide relatively good security for a small number of sensitive
>> users, or relatively lax security for 'general' users.
>
>As I understand Tor, that's precisely what Tor doesn't do. Its goal is
>providing security through relatively-strong anonymity to all users.
>
>If, by "relatively lax security for 'general' users", you're referring
>to having NoScript configured by default to allow all sites, that's
>arguably the best option for most users.  


        That would be one example. Support for flash videos (or not) is probably another example. Should people install addons they use in their non-Tor browser? etc.


>Any user can choose to block
>scripts by default on all sites, or allow on a per-site basis, trading
>off anonymity for protection against script-based exploits.


        ...which is not a choice the 'typical' user with basic knowledge of computers can make? Buffer overruns? What? 




>Also, any user who's that concerned about script-based exploits ought to
>be running the Tor client and their apps in separate machines, or at
>least in separate VMs. No?

        Perhaps. 

        But doesn't that contradict what you said at the beginning? 

        "[Tor's] goal is providing security through relatively-strong anonymity to all users."




>SNIP
>
>
>-- 
>tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>To unsusbscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk 

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk