lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 8 Dec 2007 17:32:37 -0500 From: "Fetch, Brandon" <bfetch@....com> To: "Peter Besenbruch" <prb@...a.net>, <full-disclosure@...ts.grok.org.uk> Subject: Re: Compromise of Tor, anonymizing networks/utilities However, the key point is to understand and maintain that anonymous does not imply or beget security nor vice versa. You can use Tor to make yourself "anonymous" to your destinations on the Internet. However, those requests are still submitted from the exit node in their standard format (HTTP for general browsing or SMTP for e-mail). It's this lack of "last mile" security that some will suggest using an encrypted proxy but that still may not resolve the issue of the requested destination not supporting a secure connection. Hiding behind/through Tor and an encrypted proxy just puts more layers of obfuscation into the mix but still doesn't provide any more security. Security through obscurity (anonymous) does not work and anonymous does not equal secure. Remember, there is no such thing as perfect security or anonymity. -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Peter Besenbruch Sent: Saturday, December 08, 2007 12:39 PM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Compromise of Tor,anonymizing networks/utilities On Saturday 08 December 2007 05:58:51 gmaggro wrote: > So I guess CIA -> CSIS, FBI -> RCMP, and NSA -> CSE/GCHQ/DSD/GCSB. The > last bit being the standard bunch of Echelon sons-of-bitches. Those lads > must have some fat pipes. Now are they hidden, or hidden in plain sight? Not that fat, as Tor is usually quite slow. > In any case, it is a certainty than that some law enforcement agencies > are running tor nodes; it has been spotted in actual use at many such > locales. Tor might a great idea but it is sadly lacking in many aspects > of its implementation. Let us consider it a good first step, but now > it's time to move on. It would help if you were more specific here. Especially, could you flesh out what you mean by, "it is sadly lacking in many aspects of its implementation." > >From now on we should all operate under the assumption that every > anonymizing network is rife with law enforcement infiltration. The most useful node to compromise is the exit node, as that is the one frequently handling the DNS process, as well as the node actually making requests from the Web site in question. The exit node also knows which node just upstream it's talking to, but not any further upstream. In addition, it knows nothing about the original requester. I understand it's sometimes possible to backtrack painstakingly based on timings, but it would be easier if law enforcement had control of all nodes. As it is, law enforcement would have to deal with multiple nodes, spread over multiple, not always friendly jurisdictions. > In fact, future designs should incorporate this infiltration into their > development; there has got to be a way to use this against them. Which is what TOR has done. > Tactically, do folks think it would be better to withdraw from Tor use > slowly whilst replacing the resulting traffic with filler to keep up > appearances? Or ditch it wholesale in the hopes that larger and abrupt > changes in usage will disrupt or confuse our friends with badges? I think a better question would be: How does TOR compare with your bog standard anonymizing proxy server? To go further, how does TOR compare with a scheme like JAP combined with another anonymizing proxy. I'll toss this out as something to think about: Perfect anonymity is like perfect security; with enough work both can be broken. The point is to make it hard to do. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists