lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 28 Oct 2011 12:19:29 -0400
From: Valdis.Kletnieks@...edu
To: literalka@...a.eu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Tor anonymizing network Compromised by French
	researchers

On Fri, 28 Oct 2011 07:36:32 MDT, Leon Kaiser said:

> Bravo! A completely impartial source.

Did you actually *read* the posting?  There's certainlly someting fishy about
the French results - they found 6,000 relays and 181 bridges, when the actual
number is closer to 2,500 relays and 600 bridges.  (Given that the current list
of relays is public info, the blog posting *is* right - any claim the French
had a complete *and accurate* idea of the topology is suspect, and being that
wrong about the numbers is just sad).

I'll note that Phobos was apparently  as surprised by the "1/3 of relays are
vulnerable" claim as I was....

Also, note that the Tor people have a history of being *very* up front about
security problems - if you read the *very next* posting on that blog:

https://blog.torproject.org/blog/tor-02234-released-security-patches

Somebody else *did* find a hole (believed to be different than whatever the
French guys are claiming) - and they came out and admitted there was a hole and
released a patch.  Oh, and they even point at several other known issues
that somebody ambitious could do some research on. ;)

And if I'm reading the French paper right, it basically boils down to "If you
pwn a significant fraction of the relays, you can compromise the network",
which was a long-known result - the security of Tor is based on the assumption
that you can't pwn 40% or 50% of 2,500 nodes in multiple organizations without
*anybody* noticing the attacks and raising the alarm.

OK. Maybe they *are* less than completely impartial.  But who you gonna believe,
the guys who wrote it and tell you what the already-known weaknesses are, or
some researchers who can't even get the count of relays anywhere *close* 
when there's a totally public list of relays available? ;)


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ