[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: OSI 1-3 attack on Tor? in it.wikipedia



On Thu, February 14, 2008 08:42, anon ymous wrote:
> Well, that's all good and valid.
> But as an ISP controls all internet-access
> of the client, it can with little effort fake
> the tor-web+svn-server and some sites
> where tor-packages for distributions are hosted.
> (Unless they are signed like proper debian-packets
>  but then again, users often have missing keys and
>  thus ignore the warning. )
to made the attack effective, the isp should also mitm access to
https://www.torproject.org/ and changing both packages and signatures from
https://www.torproject.org/download.html.en

> Well, where did you get the client from?
> May that be "from the internet"?
The article talks about rerouting tor connections, not distributing a
trojaned tor package.
In the first case the (original) client is safe as keys are stored inside
it, in the latter where're not talking about tor. Once you trojaned a
program, any program, you haven't discovered any limits or
vulnerabilities: you've just INSERTED them.

It's funny, because this reminds me of some years ago: there was an
italian team which claims to have beaten any secure connections to home
banking sites and that https was dead. Guess how? with a trojan that
intercepts login/password. they surely got it right ;-)

It's stressed on the faq and every time you run your client: tor is not a
silver bullet for your privacy and anonymity, it has problems, but,
surely, this is not one of them.

ciao

-- 
Marco Bonetti
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
My webstuff: http://sidbox.homelinux.org/

My GnuPG key id: 0x86A91047