Full Disclosure mailing list archives
Re: Compromise of Tor, anonymizing networks/utilities
From: "Fetch, Brandon" <bfetch () tpg com>
Date: Sat, 8 Dec 2007 17:32:37 -0500
However, the key point is to understand and maintain that anonymous does not imply or beget security nor vice versa. You can use Tor to make yourself "anonymous" to your destinations on the Internet. However, those requests are still submitted from the exit node in their standard format (HTTP for general browsing or SMTP for e-mail). It's this lack of "last mile" security that some will suggest using an encrypted proxy but that still may not resolve the issue of the requested destination not supporting a secure connection. Hiding behind/through Tor and an encrypted proxy just puts more layers of obfuscation into the mix but still doesn't provide any more security. Security through obscurity (anonymous) does not work and anonymous does not equal secure. Remember, there is no such thing as perfect security or anonymity. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Peter Besenbruch Sent: Saturday, December 08, 2007 12:39 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Compromise of Tor,anonymizing networks/utilities On Saturday 08 December 2007 05:58:51 gmaggro wrote:
So I guess CIA -> CSIS, FBI -> RCMP, and NSA -> CSE/GCHQ/DSD/GCSB. The last bit being the standard bunch of Echelon sons-of-bitches. Those
lads
must have some fat pipes. Now are they hidden, or hidden in plain
sight? Not that fat, as Tor is usually quite slow.
In any case, it is a certainty than that some law enforcement agencies are running tor nodes; it has been spotted in actual use at many such locales. Tor might a great idea but it is sadly lacking in many
aspects
of its implementation. Let us consider it a good first step, but now it's time to move on.
It would help if you were more specific here. Especially, could you flesh out what you mean by, "it is sadly lacking in many aspects of its implementation."
From now on we should all operate under the assumption that everyanonymizing network is rife with law enforcement infiltration.
The most useful node to compromise is the exit node, as that is the one frequently handling the DNS process, as well as the node actually making requests from the Web site in question. The exit node also knows which node just upstream it's talking to, but not any further upstream. In addition, it knows nothing about the original requester. I understand it's sometimes possible to backtrack painstakingly based on timings, but it would be easier if law enforcement had control of all nodes. As it is, law enforcement would have to deal with multiple nodes, spread over multiple, not always friendly jurisdictions.
In fact, future designs should incorporate this infiltration into
their
development; there has got to be a way to use this against them.
Which is what TOR has done.
Tactically, do folks think it would be better to withdraw from Tor use slowly whilst replacing the resulting traffic with filler to keep up appearances? Or ditch it wholesale in the hopes that larger and abrupt changes in usage will disrupt or confuse our friends with badges?
I think a better question would be: How does TOR compare with your bog standard anonymizing proxy server? To go further, how does TOR compare with a scheme like JAP combined with another anonymizing proxy. I'll toss this out as something to think about: Perfect anonymity is like perfect security; with enough work both can be broken. The point is to make it hard to do. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Compromise of Tor, anonymizing networks/utilities gmaggro (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities Peter Besenbruch (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities Fetch, Brandon (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities coderman (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities coderman (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities gmaggro (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities coderman (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities gmaggro (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities Peter Besenbruch (Dec 09)
- Re: Compromise of Tor, anonymizing networks/utilities jf (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities coderman (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities jf (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities coderman (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities Fetch, Brandon (Dec 08)
- Re: Compromise of Tor, anonymizing networks/utilities Peter Besenbruch (Dec 08)