Wikipedia Manifesto
Geoffrey Goodell
goodell at cassandra.eecs.harvard.edu
Tue Jan 25 18:38:57 UTC 2005
If Wikipedia wants to block Tor, then Wikipedia should go right ahead
and do so.
Wikipedia uses the popular but outmoded strategy of allowing anyone to
wreak havoc on its resources, relying upon backups to recover content
and audit trails based upon IP addresses to deter potential vandals and
force Internet Service Providers to issue smackdown when necessary.
The age in which IP addresses can be used as meaningful authenticators
is doomed; the age in which authentication must be based upon end-to-end
agreement is upon us.
IP addresses were never intended to be used for anything other than
routing. But, as Stewart Brand might say, systems generally adapt to
the convenience of their users. People discovered that in many cases,
the remote IP address of connections corresponded to either a specific
user or a specific administrative realm who could reasonably be relied
upon to take responsibility for the user. Since the Internet is mostly
hierarchical, both in terms of routing and in terms of addressing, this
strategy usually worked without too much collateral damage, hence
technologies like rlogin, hosts.equiv, content filters in the middle of
the network, IP blacklists, abuse at domainname addresses, etc.
However, IP addresses are only about routing. The fact that routing
address is often tightly correlated with identity means that most of the
time, addresses can be used to associate specific individuals with
specific behavior. Most of the time, network-layer middleboxes that
perform content filtering work. Most of the time, three-way handshakes
seem to do the right thing. In an overly emotional and highly zealous
defense of the vast multitude of easily implemented systems that rely
upon IP addresses as makeshift authenticators, some individuals and
groups have raised objection to the idea that we should only be able to
treat IP addresses as simple instructions to routers indicating the link
upon which to forward a packet.
Ultimately, the designers of such systems have conveniently ignored the
fact that given three nodes {A, B, C}, if A can talk to B and B can talk
to C, then B can talk to C on behalf of A. This is the salient
characteristic of a Proxy. Network protocols are not about Internet
links between well-specified computers; network protocols are about
channels between communicating parties, who may not be particular
computers and may not be computers at all. Generally speaking, there is
no way for a party to differentiate between a particular partner in
communication and a proxy.
We can rely upon the cryptographic assumptions that suggest that using
all of the computers in the world and any computation techniques known
to humankind, the likelihood of breaking strong encryption within the
next million years is infinitessimal. We can rely upon conventions,
such as the proper use of private keys and end-to-end cryptography, to
provide some measure of authentication. Nevertheless, there will always
be some people who deliberately or accidentally disclose their private
keys; there will always be some cellular telephones that have the
service provider perform the SSL handshake. Note that the cryptographic
assumptions are qualitatively weaker than the assumptions necessary to
support the effectiveness of memory-bounded functions or other
computational payment techniques as a means of authenticating that a
particular party made a particular commitment of resources. In light of
our knowledge of Proxies, such techniques are heuristics at best and
perhaps even ludicrous in many of the cases for which they have been
proposed.
Tor (and Blossom, for that matter) do not introduce Proxies to the
world. Proxies already exist. Tor provides a means by which the use of
proxies can be organized and standardized in a manner that provides some
anonymity benefits. Organizations such as Wikipedia that desire to
believe that ours is a world without Proxies cannot rest in the comfort
of their misguided assumptions. They can deliberately implement
blacklisting to create a standoff, which may certainly promote their
objectives in the interim, but ultimately the problems created by
Proxies are not about to disappear. We need only consider the vast
literature describing widespread system compromise and techniques IRC
network operators and mailhub administrators are using to fight what is
ultimately a rising tide.
It is not possible for Tor or any other system to solve the problems
associated with abuse by Proxy. In order for rightfully concerned
organizations to attain the protection that they desire, they must
implement registration systems that associate behavior with real users,
in a manner that does not rely upon routing information. For those who
argue that this inevitability will lead to the de-anonymization of the
Internet, consider that some services are rightfully anonymous and
others are not. Most uses of IRC were never intended to be anonymous.
Some are, and those uses will continue to exist. Communication between
clients and brokers shall require registration. Simple web browsing
shall not.
Individual users have suffered greatly at the hands of those who use
routing information to discern information about their identities. All
sorts of organizations, from advertising agencies to governments to
terrorist organizations, have access to information that simply is none
of their business. Tor seeks to bring the world one step closer to
ending misuse of routing information.
Geoff Goodell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050125/128f9d13/attachment.pgp>
More information about the tor-talk
mailing list