On 05/10/13 16:17, Ximin Luo wrote: > Likely because other non-Tor-specific attacks (staining, pwning) that are > mentioned, are way easier. > > They are probably working on it, though. Data centre in Utah, anyone? > > On 05/10/13 07:20, Jack Singleton wrote: >> Interesting that there is no mention of timing attacks... >> >> You would think with the amount of monitoring they are doing that it would >> be fairly simple to correlate traffic being sent to tor nodes with traffic >> leaving exit nodes. >> >> >> On Fri, Oct 4, 2013 at 1:34 PM, Ian Clarke <i...@freenetproject.org> wrote: >> >>> This is very interesting: >>> >>> >>> http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity >>> >>> Looks like it's not an attack on Tor itself, rather they identify Tor users >>> (which Tor isn't designed to prevent AFAIK), and then do a MITM on the >>> connection between Tor and the web to insert some code that exploits a >>> vulnerability that (until recently) was distributed as part of the Tor >>> bundle. >>> >>> Seem like, even though this Firefox vulnerability has been fixed, that they >>> probably have a library of other ones to choose from. >>> >>> Ian. Right. They may well have attacks on the Tor network itself but 99% of the time they don't need to use them. This is the "high value attacks" vs "low value attacks" thing.
This also justifies our policy of blocking all javascript by default (as most but not all browser exploits involve JS), although it's not so much a policy as a technical limitation due to not providing our own browser... By the same argument, just because they have lots of ways to crack SSL (crack the server to get the privkey, use a bogus CA, etc), doesn't necessarily mean they don't have the technical capability to factor 1024-bit RSA/DSA (as has been widely believed since a paper in 2003 on how to build hardware to do this). It's just a matter of the cost of the attack (still probably largish for factoring DSA) and the secrecy value of that capability. For the record, I am 100% confident that the NSA can crack opennet Freenet with only minimal effort, and I'd be amazed if they didn't have tools already to do that. Darknet Freenet is obviously more costly, but it doesn't really exist right now. -- This message signed using yet another key (on my laptop at Cambridge). I have pushed a signature on the key to keyservers.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
