following on from today's discussion
Roger Dingledine
arma at mit.edu
Fri Aug 18 21:47:03 UTC 2006
[Dropping the or-dev CC since this isn't related to Tor development]
On Fri, Aug 18, 2006 at 10:14:29PM +0100, Robert Hogan wrote:
> That aside, I think it has highlighted a security risk that Tor itself may be
> guilty of understating to new users, namely that using Tor exposes your
> traffic to a much higher likelihood of being eavesdropped than normal.
>
> For example, I am not a network admin by day so I do not have access to public
> internet traffic through legal means. Yet I am running a Tor exit server, so
> I can now legally (though unethically) listen to your internet traffic and
> harvest any passwords that go by.
Actually, look at
http://tor.eff.org/eff/tor-legal-faq.html.en#ExitSnooping
It is an open legal question -- that is, there's no clear precedent with
respect to Tor servers -- but it's probably not wise to just assume that
it's legal. Also, remember that there are many jurisdictions out there,
and they all have their own complex laws.
> I do not think the gravity of this trade-off by the tor user (security for
> anonymity) is adequately represented.
I agree. Somebody should write a clear introduction to Tor, what it does,
and what it doesn't do. One day that somebody will be me, but I would
welcome some early versions to help me along.
> Now that I see it for what it is, I am definitely going to introduce some sort
> of nag/warning to TorK so that the user is warned at least once that using
> plaintext protocols carrying authentication information on Tor carries a
> serious health warning.
>
> Am I overstating the case? Do others think that the nature of the compromise
> tor users make is transparent to them?
The reason I haven't emphasized the issue so far is that I think you're
overstating the protection ordinary users get from the Internet as it
is. For example, if you're on a local network with other users (often
including everybody in your neighborhood for cablemodem systems), you're
not in very good shape. Tor solves this issue, and for many users it's
a huge issue.
Then there's the question of the Internet infrastructure itself --
your Internet packets travel over a wide variety of places on the way
to their destination. Sometimes packets get mis-routed to, well, pretty
much anywhere. The chance that any hop along the way is able to observe
them -- for example because of a crooked employee, but also because some
Russian cracker 0wns a computer nearby in the path -- is hard to estimate
in general, but from studying botnets and dealing with net security for
the past decade or so, I don't feel it's as low as you imply.
All that said, I agree with you that most of the danger is probably at
the endpoints of the communication -- on the path from you to your entry
Tor node, and on the path from your exit node to your destination. Tor
solves the first issue and changes the second issue -- possibly for the
worse, depending on your situation.
So barring any actual data about the security of the Internet as a whole,
which seems hard to get, I still stick with my answer from
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers
If you're not using end-to-end encryption, then you're in bad shape,
whether you use Tor (and are exposed to one set of risks) or don't use
Tor (and are exposed to a different set of risks).
--Roger
More information about the tor-talk
mailing list