[tor-talk] Tor and HTTPS graphic

Number Six number6 at elitemail.org
Fri Mar 9 03:54:37 UTC 2012


On Tue, Mar 6, 2012, at 04:20 PM, Seth David Schoen wrote:
> andrew at torproject.is writes:
> 
> > The GPA is in every paper on the topic. But only Seth has the real
> > answer.
> 
> I was concerned that the graphic should not make people think that
> _no one_ can ever associate them with their browsing when they use
> Tor.  I've been taught to think of the GPA threat (and other traffic
> correlation threats) as real, so I thought people should have some
> indication of those threats.

Why do you assume that the NSA can break Tor but not HTTPS?

As I see it, if you extrapolate the timing attack literature to justify
ignoring fixing active attacks, why do you not extrapolate the work on
RSA key cracking to assume that the NSA can factor popular website keys
in bathtubs full of DNA?

Or, at the very least, why not extrapolate it to the NSA compromising
one of the 1000-some wildcard root certificates your own SSL Observatory
scan has detected?

This paywall (ie non-"dumpster available") abstract appears to indicate
that the research community is within striking distance of factoring an
RSA keys in use by many HTTPS servers today. At least, when compared to
how close timing attack research is to breaking Tor.
http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1435370

I guess I'm just wondering: where do we draw the line?

In addition to the decentralized HTTPS certificate observatory, one
could imagine a network verifying the DH parameters are the same when
received by two endpoints of an HTTPS session. If perfect forward
secrecy is universally deployed, a bathtub full of DNA or server
compromise that yielded an RSA private key for google.com could be used
transparently to escape your decentralized observatory scan, but a
DH-recording scanning network will still see different DH parameters at
the endpoints.

But how do deploy such a network? Is planetlab up to the task? Is anyone
studying endpoint consensus on DH parameters? Shouldn't they be?

It seems like our rabbit hole is very deep. Do we really have what it
takes to watch the watchers?

I fucking hope so, but it does seem that consensus reality wrt
cryptographic security is hard to establish.

-- 
http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are



More information about the tor-talk mailing list