[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor spying

On Wed, Sep 07, 2011 at 07:21:21PM -0700, Indie Intel wrote:
> ``Moxie Marlinspike, probably the smartest guy in the world right now
>on SSL issues, did a study a few years ago on how many Tor users ??? not
>even regular users, but Tor users, clearly concerned about their privacy
>and possessed with some advanced level of expertise -- would notice SSL
>being disabled and refuse to browse their desired content.

I'd like to argue with some of these clauses, actually. I agree that the
first several thousand Tor users were smart security-aware people. But
I believe the *next* several million users were not all smart security
people. Rather, they were folks who heard about how dangerous the
Internet is ("NSA wiretaps America", "large credit agency loses 30
million names/addresses/credit card numbers", etc), and tried to do
something about it.

So I don't expect your average Tor user to be any better at understanding
https than your average person using the Internet at Starbucks.

Depending on when these attacks were done, it's quite reasonable to
estimate that 1/3 or more of the Tor users at the time were in repressive
regimes where their main focus was to get to censored websites rather
than to protect themselves from some wiretapping adversary.

We've got an uphill battle in front of us, in terms of how to teach
everybody on the Internet what encryption is, what it's for, how to
know when your browser is or isn't doing it right, etc. Our cause is
made harder by the pervasive snakeoil VPN providers who undermine user
education by promising "100% encryption" when what they really mean is
"we will encrypt the traffic from you to us, and then we will datamine
the hell out of it once it gets to us".

As Andrew said, it's easy to make the news by putting "and we attacked
Tor!!" in your talk blurb. Tor is hot, so people notice. But let's not
let that distract us too much from the question of "how do we protect all
Internet users, including Tor users?" Pretending that all Tor users are
"possessed with some advanced level of expertise" isn't going to make
that task any easier.


tor-talk mailing list