dslcerize
join:2005-09-22
FRANCE
| reply to jp10558
Re: Anonymnity: Introduction To The Tor Network
said by jp10558  :You do check the cert details right? :-P
Of course! |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY
| reply to dslcerize
said by dslcerize :jp10558: Ok, so it really is that simple. Now, a spoofed page on an unencrypted conversation I can live with, but one on an encrypted conversation I can't. Is it possible to spoof eg. an SSL page without it being revealed through a certificate mismatch, as Novaflare seemed to be claiming? Not as far as I know. I mean, they could try the traditional spoofing techniques - getting a domain that looks similar to the original one - trying to get a cert signed by verisign or whoever that is close, but they won't be able to have the real cert/domain.
You do check the cert details right?
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 2.7;Proxomitron 4.5j Grypen 8/28/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
dslcerize
join:2005-09-22
FRANCE
| reply to jp10558
jp10558: Ok, so it really is that simple. Now, a spoofed page on an unencrypted conversation I can live with, but one on an encrypted conversation I can't. Is it possible to spoof eg. an SSL page without it being revealed through a certificate mismatch, as Novaflare seemed to be claiming?
wormie: yes, that article was good; in fact, it was where I heard about Tor in the first place! |
|
wormie
join:2000-11-19
Lowell, MA
| reply to Daniel
Roughly on topic, there's a decent column on Securityfocus about anonymity that mentions Tor and addresses some of the bigger issues concerning anonymity. Worth reading for the curious.
--
What Would Jim Jones Do? |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY
| reply to dslcerize
said by dslcerize :Lastly, people have said that you wouldn't want to use Tor for everything. Could somebody explain why? Well, for all of the reasons above, mostly because of the performance hit using TOR - your browsing will be noticably slower, and you might be more likely to get a spoofed page.
It's a math problem - does the need for anonyminity outweigh the issues raised in this thread?
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 2.7;Proxomitron 4.5j Grypen 8/28/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to dslcerize
said by dslcerize :Does my logic up to this point make sense? Am I understanding Tor correctly?! Absolutely. I think you're one of the few who do actually get it. Great post.
--
grepunderstanding.com -- grep understanding knowledge |
|
dslcerize
join:2005-09-22
FRANCE
4 edits | reply to Daniel
Hi,
I'm a complete novice at this kind of stuff, but I've read some documentation on the Web, read and digested this thread, and I would be grateful if someone could read my thoughts below and inform me if I am correct in my thinking! I know this thread ended a while ago, but the reason I post here is because there are clearly some people who know what they are talking about on this thread, and put their point across clearly, and so I would be happy if they in particular could help 
My thoughts:
There are two kinds of anonymity: hiding your identity (IP address) from the person (machine) you are contacting, and hiding it from eavesdroppers. Tor appears to be able to do both, but the fact that there is a distinction between these two things appears to have been implicit but unspoken in some of the posts in this thread, and overlooked in some of the others.
Using Tor prevents eavesdroppers /and/ the recipient from seeing that a conversation started with me. So long as I don't make my identity known in other ways, I am anonymous in both senses.
Tor is the same sort of thing as a chain of (perhaps paid-for) anonymous proxies. The (only?) important difference is that you should probably distrust the first proxy in the latter case(*) but not with Tor, whereas you /must/ distrust the end node when using Tor but perhaps not in the latter case.
(*)There really do seem to be grounds for not trusting the first proxy of a "conventional" anonymous chain, even if it is a paid-for service which has a vested interest in keeping your identity hidden. This is because of data retention laws etc. etc.
On the other hand, I do not see a problem with distrusting the end node as long as you are not passing unencrypted private data out of it. (Without encryption, the content of your conversation is wide open by default. If you want to hide the content, you must use some extra approach such as encryption (perhaps using GnuPG?). But this is true of conventional anonymous proxy chains, too.)
There have been several statements in this thread along the lines of "you wouldn't use Tor to contact your bank, because what's the point of being anonymous when you have to identify yourself the bank at the end anyway". It seems to me that this is confusing the two types of anonymity I set out above. Perhaps the reason I wish to use Tor is not that I don't want the bank to know who I am (which would indeed be silly) but that I don't want my ISP or any other eavesdropper to know that I use that bank. When you replace "bank" with something more controversial, the importance of anonymity towards eavesdroppers increases. Being anonymous to the recipient may or may not be desirable, but it's a different issue. Note that the untrusted end node is not a problem in this scenario so long as you are encrypting your conversation (eg through SSL).
Next, there are sites that I might wish to use, where I don't care about encrypting my conversation (and where encryption is not possible, such as accessing certain websites which do not support encrypted conversations). But even here, it doesn't matter that I don't trust the end node. If someone intercepts my conversation at the untrusted node, well who cares, they don't know it was me in that conversation anyway. All that matters is that eavesdroppers cannot see that I am reading such a website.
Does my logic up to this point make sense? Am I understanding Tor correctly?!
What worries me about what I've read is the point that Novaflare was trying to make (I think! That guy's a salutary lesson in the importance of good schooling...  . What if the untrusted end node could change the content being sent back to me? I don't know anything about whether or not this is possible. It appears that the untrusted node couldn't fake an SSL conversation, because the certificate would no longer match. (But then Novaflare talked about caching or something, so is there a problem here? No-one actually answered this question directly.)
But it certainly seems that the untrusted node could fake an /unencrypted/ conversation, and so the golden rule would be never part with private information in an unencrypted manner. But then this is a golden rule on the Internet anyway and, as was said many times, that is not a "flaw" in Tor, because Tor doesn't claim to be an encryption mechanism, it is purely an anonymiser!
What Novaflare was trying to say seems to boil down to this: people should be /even more/ wary of parting with personal data over an unencrypted channel if using Tor, because it is easier to turn a Tor node evil than to turn a "normal" Internet node evil. This makes sense to me.
Lastly, people have said that you wouldn't want to use Tor for everything. Could somebody explain why?
Thanks for reading all this!
A. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to wormie
said by wormie :As for anonymity itself, I'm not convinced that 10 hops is better than 3 hops, so long as the protocol is implemented in a way that prevents a node from seeing anyone except its immediate predecessor. True, but assuming the number of Tor servers goes up by 10000% and the number of malicious Tor servers goes up by only 500%, then we lower the chances significantly that an exit node is going to be a malicious host and/or that large portions of the network can be compromised en masse.
It's true that three nodes is enough to hide a source if the systems is working the way it should, but the higher the number of legitimate vs. malicious ones on the network, the more integrity the network has as a whole. It seems to me that a superior ratio of benign vs. malicious hosts would help most, if not all, of the issues that have been raised by detractors in this thread.
--
dmiessler.com - grep understanding knowledge |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| reply to wormie
said by wormie :On a different note, it's very odd to me that a program as simple as Tor could produce a thread such as this. Anonymity seems to bring out surprisingly strong feelings. It seems that the longer the paper, the fewer people who read it, but then post on it. It makes for a longer thread due to arguing points that aren't related to the paper.
--
"I can't stand the package managers that come with Linux. RPM, Portage, and the rest don't even let you build from source. The ports collection was all I needed." - Some FreeBSD jackass |
|
wormie
join:2000-11-19
Lowell, MA
| reply to Daniel
said by Daniel :Once the network is more stable and has more nodes, you'll be able to say use 5 hops or 10 hops, etc. That will help the issues raised tremendously. I'm not so sure that's true.
The issues raised by the paranoiacs are that node operators can grab your info (assuming you're unencrypted of course). More hops = more evil node operators. Those who mistake anonymity for encryption will just see this as a sign of more potential breaches of security. They're missing the point, of course
As for anonymity itself, I'm not convinced that 10 hops is better than 3 hops, so long as the protocol is implemented in a way that prevents a node from seeing anyone except its immediate predecessor. More hops = more latency = fewer users. About all it gains you is that hopefully at least one node of the 10 doesn't retain its logs, but really nobody running a Tor server should be doing that anyway. Otherwise it's theoretically possible to backtrack all the way to the source, defeating the whole point of the network.
On a different note, it's very odd to me that a program as simple as Tor could produce a thread such as this. Anonymity seems to bring out surprisingly strong feelings.
--
What Would Jim Jones Do? |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to ghost16825
said by ghost16825 :said by jshfld :As far as I can see the biggest hurdle for Tor achieving this potential is, contrary to what some have suggested, massive numbers of servers. Spot on. The Tor website has said words to this effect ss well. The more servers, the higher anonymity for Tor users. Yep. And not only that but the project is soon going to support using a higher number of hops. Once the network is more stable and has more nodes, you'll be able to say use 5 hops or 10 hops, etc. That will help the issues raised tremendously.
--
dmiessler.com - grep understanding knowledge |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to jshfld
said by jshfld :As far as I can see the biggest hurdle for Tor achieving this potential is, contrary to what some have suggested, massive numbers of servers. Spot on. The Tor website has said words to this effect ss well. The more servers, the higher anonymity for Tor users.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
|
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: | reply to Daniel
Excellent points. Why are so many of the smart ones from Canada? |
|
jshfld
join:2005-08-06
Dundas, ON
clubs:
| reply to Daniel
Having read the entire thread it seems to me like Tor in conjunction with SSL has the potential to create a truly private internet experience. However, Tor is currently still in its infancy (what do you think a 0.1.x release from M$ would look like?  ) and as such is not to be used for any mission critical tasks. The argument that anonymity hasn't historically been a right is bogus. Anonymity is a form of privacy in that it is my right to prevent you from knowing that I am meeting with someone. In the physical world I can use various means to ensure that I am not being followed before meeting with someone and tor allows me to do something roughly analogous in the digital world.
As far as I can see the biggest hurdle for Tor achieving this potential is, contrary to what some have suggested, massive numbers of servers. Any government, criminal group or ISP that sets up a tor server is doing the services users a favour since I really don't care if they capture a copy of my bits because I'm operating under the assumption that my bits will be intercepted by someone (ISP's already can and do look at the bits I send over their network) and I am going to apply a level of encryption that reflects the degree to which I wish to keep the information in those bits private. But, each additional server makes it more difficult for people who wish to ban the service from doing so and simultaneously increases the flexibility of the network (with a sufficiently large network the network could support a user configurable number of hops and customizable geographic filters making it possible to increase or reduce the level of privacy your location enjoys).
As far as the claim that tor is unable to cope with a global adversary I think that in a fully deployed form it would quite literally have to be a global adversary and even then there would need to be some independent means of focusing in on individuals to target. Consider:
100,000 tor servers around the world, 100,000,000 users and I'm using SSL (or better if I'm really worried) encryption, for anyone to have an inkling of what I'm doing (that is put together any two of who I am, what I'm doing, where I'm sending it, and why I'm doing it) would either require them to have a back door in the network (then they could get who and where) or have a means to brute force my encryption (giving them a 3/100000 chance to get my bits for every server they had).
The idea of a back door seems kinda like the idea that Armstrong stepped onto a Hollywood set rather than the moon (the US government was working on it for their own agents, the last thing they would've wanted would be one mole stealing the info on the back door and a month later losing every agent they had in the field).
In other words tor has a sound footing but is still years away from being ready for the Chinese defector, secret merger negotiation, or just the user who isn't willing to take a performance hit to protect their location.
P.S.: The login form on the paypal homepage is SSL, unlike the rest of the homepage, so the idea that using paypal with tor is dangerous is nonsense. Although it begs the question: why do you want to hide your ip address from a company that has your credit card number and physical address? |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to Daniel
Is the flaw in the protocol used or in how it is used?
Cudni |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: | reply to Daniel
That's definitely an issue, but it's an implementation problem, not one of design.
--
dmiessler.com - grep understanding knowledge |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to Daniel
from
»www.securityfocus.com/bid/14659/discuss
"...
This vulnerability allows attackers to gain access to the negotiated keys used to encrypt the communications between Tor servers and clients. This allows attackers to read or modify all the traffic that is sent from the targeted user over the Tor network. The anonymity, confidentiality, and integrity guarantees of the network are lost through the exploitation of this issue. ..."
Cudni
--
What is now proved was once only imagined.Help yourself so God can help you |
|
jig
join:2001-01-05
Hacienda Heights, CA
| reply to BeesTea
said by BeesTea :The idea being that a man in the middle cannot determine where the source of the packet is. as long as the man in the middle isn't an entire dummy tor network itself. but i guess deception on that scale is a 'global adversary'.
is the performance of tor good enough to watch streaming video? |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
2 edits | reply to Wildcatboy
said by Wildcatboy :Now about this: said by Daniel :Remember, the only purpose of this project is anonymity -- nothing else. Even if the data is read on the exit node, the original source of the request is still hidden -- hence the anonymity. I disagree. A proxy server's job is to keep users anonymous. Once you try to set yourself apart from the average proxy servers and add encryption to the process, you're indicating a desire to keep things secure as well and you now have an obligation to make sure it will work. I disagree.
The encryption is not for confidentiality -- it's for anonymnity. It's so that the nodes on the Tor network only see last and next hops rather than the original destination hidden within. This is not to protect the data itself -- it's to protect the true source and destination. The project recommends that you use something like SSL if you want confidentiality.
EDIT: Oops, BeesTea got there first...
--
dmiessler.com - grep understanding knowledge |
|
