[or-cvs] r21483: {projects} last cleanups for the first version based in part on karen's (projects/articles)
Roger Dingledine
arma at torproject.org
Sat Jan 23 21:22:43 UTC 2010
Author: arma
Date: 2010-01-23 21:22:42 +0000 (Sat, 23 Jan 2010)
New Revision: 21483
Modified:
projects/articles/circumvention-features.txt
Log:
last cleanups for the first version
based in part on karen's comments and in part on rereading
Modified: projects/articles/circumvention-features.txt
===================================================================
--- projects/articles/circumvention-features.txt 2010-01-23 15:35:54 UTC (rev 21482)
+++ projects/articles/circumvention-features.txt 2010-01-23 21:22:42 UTC (rev 21483)
@@ -62,7 +62,7 @@
2. Works in your country
The next question to consider is whether the tool operator artificially
-restricts which countries can use it. Several years ago, the commercial
+restricts which countries can use it. For several years, the commercial
Anonymizer.com made its service free to people in Iran. Thus connections
coming from Anonymizer's servers were either paying customers (mostly in
America) or people in Iran trying to get around their country's filters.
@@ -102,7 +102,7 @@
keep their network operational.
After asking about the long-term survival of the network, the next
-question is to ask about sustainability of the software itself. The same
+question to ask is about sustainability of the software itself. The same
three approaches apply here, but the examples change. While Tor's network
is operated by volunteers, Tor relies on sponsors (governments and NGOs)
to fund new features and software maintenance. Ultrareach and Freegate,
@@ -148,7 +148,8 @@
parts has turned out to be less safe than its designers thought.
Similarly, in the case of secret designs for circumvention tools,
the only groups examining the tool are its original developers and the
-attackers; the wider user and developer community is left out of the loop.
+attackers; other developers and users who could help to make it better
+and more sustainable are left out.
Ideas from one project could be reusable beyond that project's
lifetime. Too many circumvention tools keep their designs secret, hoping
@@ -172,10 +173,10 @@
is centralized or decentralized. If you have to put all your trust in
one entity, then the best you can hope for is "privacy by policy" --
meaning they have all your data and they promise not to look at it, lose
-it, sell it, or so on. The alternative is "privacy by design", a phrase
-popularized by the Ontario Privacy Commissioner -- meaning the design of
-the system itself ensures that users get their privacy. The openness of
-the design in turn lets everybody evaluate the level of privacy provided.
+it, or sell it. The alternative is what the Ontario Privacy Commissioner
+calls "privacy by design" -- meaning the design of the system itself
+ensures that users get their privacy. The openness of the design in turn
+lets everybody evaluate the level of privacy provided.
This concern isn't just theoretical. In early 2009 Hal Roberts from the
Berkman Center ran across a FAQ entry for a circumvention tool that
@@ -184,34 +185,34 @@
of every request ever made through their system "because you never know
when you might want them."
-I've left out the names of the tools here because the point is not that
-some tool providers may have shared user data; the point is that any
-tool with a centralized trust architecture <i>could</i> share user data,
-now or in the future, and its users have no way to tell whether it's
-happening. Worse, even if the tool provider means well, the fact that
-all the data flows through a few servers creates an attractive target
-for other attackers to come snooping.
+I've left out the names of the tools here because the point is not
+that some tool providers may have shared user data; the point is that
+any tool with a centralized trust architecture <i>could</i> share user
+data, and its users have no way to tell whether it's happening. Worse,
+even if the tool provider means well, the fact that all the data flows
+through one location creates an attractive target for other attackers
+to come snooping.
-The next conclusion is that many of these tools see circumvention and user
-privacy as totally unrelated goals. This separation isn't necessarily
-bad, as long as you know what you're getting into -- for example, we
-hear from many people in censoring countries that just reading a news
-website isn't going to get you locked up. But as we've been learning in
-many other contexts over the past few years, large databases of personal
-information tend to end up more public than we'd like.
+Many of these tools see circumvention and user privacy as totally
+unrelated goals. This separation isn't necessarily bad, as long as you
+know what you're getting into -- for example, we hear from many people
+in censoring countries that just reading a news website isn't going to
+get you locked up. But as we've been learning in many other contexts
+over the past few years, large databases of personal information tend
+to end up more public than we'd like.
6. Keeps you safe from websites too
Privacy isn't only about whether the tool operator can log your
-requests. It's also about whether the websites you visit can recognize or
-track you. Circumvention tools have some level of built-in protection
-here, since using a proxy means the website doesn't see the user's
-connection directly. But remember the case of Yahoo turning over
-information about one of its Chinese webmail users. What if a blog
-aggregator wants to find out who's posting to a blog, or who added the
-latest comment, or what other websites a particular blogger reads?
+requests. It's also about whether the websites you visit can recognize
+or track you. Remember the case of Yahoo turning over information about
+one of its Chinese webmail users? What if a blog aggregator wants to
+find out who's posting to a blog, or who added the latest comment, or
+what other websites a particular blogger reads? Using a safer tool to
+reach the website means the website won't have as much to hand over.
-At one extreme are open proxies. They often pass along the address of
+Some circumvention tools are safer than others. At one extreme are open
+proxies. They often pass along the address of
the client with their web request, so it's easy for the website to learn
exactly where the request is coming from. At the other extreme are tools
like Tor that include client-side browser extensions to hide your browser
@@ -230,16 +231,16 @@
each website and programs its central proxy to rewrite each page. Mostly
they do this rewriting not for privacy but to make sure all links on the
page lead back to their proxy service, but the result is that if they
-haven't manually vetted your destination site yet, it won't work for
+haven't manually vetted your destination site yet, it probably won't work for
you. As an example, they seem to be in a constant battle to keep up with
-Facebook's changing frontpage. Tor currently disables many sites that are
+Facebook's changing frontpage. Tor currently disables some content that is
probably safe in practice, because we haven't figured out a good interface
to let the user decide in an informed way. Still other tools just let
through any active content, meaning it's trivial to unmask their users.
7. Doesn't promise to magically encrypt the entire Internet
-I should draw a distinction here between privacy and encryption. Most
+I should draw a distinction here between encryption and privacy. Most
circumvention tools (all but the really simple ones like open proxies)
encrypt the traffic between the user and the circumvention provider. They
need this encryption to avoid the keyword filtering done by such censors
@@ -317,13 +318,13 @@
First, which operating systems are supported? Psiphon wins here too
by not requiring any extra client software. Ultrareach and Freegate
are so specialized that they only work on Windows, whereas Tor and its
-accompanying software will build and run pretty much everywhere. Next,
+accompanying software can run pretty much everywhere. Next,
consider that client-side software can automatically handle failover
from one proxy to the next, so you don't need to manually type in a new
address if your current address disappears or gets blocked.
-The final question is whether the tool has a track record, or at least
-a convincing plan, for responding to blocking. For example, Ultrasurf
+Last, does the tool have a track record
+for responding to blocking? For example, Ultrasurf
and Freegate have a history of releasing quick updates when the current
version of their tool stops working. They have a lot of experience at
this particular cat-and-mouse game, so it's reasonable to assume they're
@@ -340,7 +341,7 @@
10. Doesn't promote itself as a circumvention tool
Many circumvention tools launch with a huge media splash. The media loves
-this approach, and they end up with frontpage articles like "American
+this approach, and they end up with front page articles like "American
hackers declare war on China!" But while this attention helps attract
support (volunteers, profit, sponsors), the publicity also attracts the
attention of the censors.
@@ -363,7 +364,7 @@
and civil liberties tool rather than a circumvention tool. Alas, this
balancing act is tough to maintain in the face of increasing popularity.
-Conclusion
+Conclusion:
This article explains some of the issues you should consider when
evaluating the strengths and weaknesses of circumvention tools. I've
@@ -379,7 +380,7 @@
countries. As long as many people in censored countries are saying "I'm so
glad my government keeps me safe on the Internet," the social challenges
are at least as important. But at the same time, there are people in
-all of these countries that want to learn and spread information online,
+all of these countries who want to learn and spread information online,
and a strong technical solution remains a critical piece of the puzzle.
About Roger:
More information about the tor-commits
mailing list