[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <64069.1319818769@turing-police.cc.vt.edu>
Date: Fri, 28 Oct 2011 12:19:29 -0400
From: Valdis.Kletnieks@...edu
To: literalka@...a.eu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Tor anonymizing network Compromised by French
researchers
On Fri, 28 Oct 2011 07:36:32 MDT, Leon Kaiser said:
> Bravo! A completely impartial source.
Did you actually *read* the posting? There's certainlly someting fishy about
the French results - they found 6,000 relays and 181 bridges, when the actual
number is closer to 2,500 relays and 600 bridges. (Given that the current list
of relays is public info, the blog posting *is* right - any claim the French
had a complete *and accurate* idea of the topology is suspect, and being that
wrong about the numbers is just sad).
I'll note that Phobos was apparently as surprised by the "1/3 of relays are
vulnerable" claim as I was....
Also, note that the Tor people have a history of being *very* up front about
security problems - if you read the *very next* posting on that blog:
https://blog.torproject.org/blog/tor-02234-released-security-patches
Somebody else *did* find a hole (believed to be different than whatever the
French guys are claiming) - and they came out and admitted there was a hole and
released a patch. Oh, and they even point at several other known issues
that somebody ambitious could do some research on. ;)
And if I'm reading the French paper right, it basically boils down to "If you
pwn a significant fraction of the relays, you can compromise the network",
which was a long-known result - the security of Tor is based on the assumption
that you can't pwn 40% or 50% of 2,500 nodes in multiple organizations without
*anybody* noticing the attacks and raising the alarm.
OK. Maybe they *are* less than completely impartial. But who you gonna believe,
the guys who wrote it and tell you what the already-known weaknesses are, or
some researchers who can't even get the count of relays anywhere *close*
when there's a totally public list of relays available? ;)
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists