[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor browser can be fingerprinted

>>On Wed, 11 Sep 2013 12:50:41 -0400 (EDT)>>Marthin Miller <torproblem@xxxxxxx> wrote:>> Hi. The main problem for what you made public as Tor software is that>> it uses 1024bit RSA keys which can be cracked in a few hours and>> compromise Tor path. >Do you have a source for this claim? All I've seen is speculation about>what the NSA or GCHQ can possibly do.
>I believe this to be false currently.>(But that doesn't mean we shouldn't fix it, because it will become true>some time in the next few decades, and we don't know when that will be.>(Good thing we're fixing it.))
>Can you provide proof of this?>kthxnbai
>>The articles I've been reading about the NSA breaking encryption have>suggested that 1024bit encryption may be totally compromised, or>ineffective... but proof is hard to come by.

its not just a possibility, that's a fact! Adi shamir described how RSA 
cracking machine (TWIRL) works (that's old! today we have much faster hardwares as 
IBM modern chips do) but RSA is even worse when it comes to discrete logarithm problem 
(http://www.slideshare.net/astamos/bh-slides), this algorithm crack even large RSA keys 
by regular computers without spending lots of energy and money for chips, well individual 
researchers don't have it yet but its wise to assume the worse scenario happening in the 
worse agency in the world as they always surprise us not boring us. ECC solve this problem 
for now.i recommend to be more careful and add a post-quantum cipher (NTRU is patented but 
you can talk to inventors for a license as Tor is not a commercial software) for safety in 
the future (2020?...) to encrypt session keys multiple time (first by ECC then by NTRU).
the proof is our logic. using ECC and NTRU is not so hard, lets do that now instead of 
waiting for somebody officially tell us how they cracking weak RSA keys or 
strong ones...
to make sure cracking short RSA keys is not a possibility just contact greenwald 
(guardian reporter) and ask him how long it takes and how much it cost, he have the paper works.

>> Also if you let users choose how much security they want that's better>>(for example choose high padding and time delay on relays if security>>have more priority than speed)>Unfortunately, this one is more complex than you imply as well. Take a>look at "Anonymity Loves Company: Usability and the Network Effect">for much more discussion here:http://freehaven.net/anonbib/#usability:weis2006
>This is not so clear, but there's a ticket for it just the same, seehttps://trac.torproject.org/projects/tor/ticket/9387

that option slow down everything yes but it depend on our choice, better speed or better 
privacy? if there be an option to choose what we need (like freenet) every time we open the Tor
is much better. 
for example when somebody want to check out facebook he might choose low security high speed 
(three level of padding amount and time delay) but when they want to publish something secretly 
 then user looking for more security. current design is really dangerous as one 
bad relay can compromise the whole path, but with choosing third level of padding amount and 
time delay for packets, just one good relay on the path guaranty our safety. doing this is 
not very complex. when packet comes to relay after decryption just one flag header at the 
beginning of packet let it know add how much padding and after how much 
random delay send the packet to next relay. using third level of security will increase load 
on relay network ya (in the worst case adding double size padding to packet is fine so load become 2x time more on relays)) 
and decrease browsing speed for user much more (they can choose more speed if they need) 

>> but Tor browser have another big problem also>> which compromise user's anonymity (fixing it is very simple). i>> checked out http://browserspy.dk/screen.php from different machines>> running Tor. problem is screen resolution is kind of unique!
>Maybe still relevant,https://blog.torproject.org/blog/effs-panopticlick-and-torbutton

window size is really unique specially in resized virtual machines. lots of people don't know
about this window size problem! lets assign a uniform size to the Tor browser window
which popup automatically after connecting to network and warn users about how unique screen
size can be when they click on maximize button... because even if we use Tor browser 
carefully but other Tor users make mistake, still we're unique as others don't have my screen 
(default screen size is 1000x674 hmm?)

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to