Hi all, I have been thinking about Tor some more, especially in light of Friday's story:
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption My impression is that Tor itself comes out reasonably well from what we know, but governments will try to exploit any browser vulnerabilities, and are running their own Tor nodes. I still believe it's not a good idea to be routing unencrypted traffic through Tor, and you need to be checking the certificates for the encrypted traffic. Browser plugins are risky too. I'm also worried about DNS. In order to properly anonymize your web browsing, all DNS requests need to go through Tor - but right now most sites don't use DNSSEC afaik, so are vulnerable to a MITM attack at that level. By the way, this page explains why you shouldn't run DNS for non-Tor browsing over TorDNS: https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver With all the above, I think we are a long way from being able to provide safe web browsing over Tor to non-technical users. At least, not without getting them to use a separate browser (probably TBB). However, I do like the idea of running a Tor relay (not an exit node) by default on Freedombox. Just don't use it for web browsing! SSH and SSL-encrypted IRC are possible uses - do the DNS lookups over Tor, and check the identity of the other end properly. HTTPS could work, but the DNS requests (and any plain HTTP resources required) would have to go over non-Tor anyway, so I doubt there's much point from an anonymity point of view. -- Tim Retout <dioc...@debian.org>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss