Nick, Let us say we did verify people within X miles of us... what would be the protocol? What keeps me from meeting the respresentative of an evil agent dressed as John Q Public?
Regards, Arrakistor Wednesday, August 16, 2006, 5:00:47 PM, you wrote: > On Wed, Aug 16, 2006 at 08:59:12PM +0000, [EMAIL PROTECTED] wrote: >> >> On Wed, Aug 16, 2006 Nick Mathewson wrote: > [...] >> >It works. It just doesn't mean what you thought. >> >> You obviously didnt read Arrakistor 16 August 2006 00:44 Tor bug?: >> AllowInvalidNodes >> >> who wrote >> >> "Roger, Nick, et al, >> >> Tor *.23 >> >> AllowInvalidNodes seems to having a problem. We've tried a few versions, >> including the deprecated AllowUnverifiedNodes to no avail. However the >> exit node of the circuit is still often invalid according to >> http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 > See Roger's message, which you quote below: > > The exit.pl script that Geoff wrote and runs on Serifos uses the > > phrase "not a valid Tor server" to mean "not a Tor server as far > > as I know". > This is the serifos script that Roger is talking about. It lists IP > addresses as "invalid" if they are not the IP of a tor server it > knows. Some "valid" (according to the directory authorities) Tor > servers exit on IPs that are not the same as the IP they listen on. > This means that the IP they exit on will not appear on serifos's list > of valid nodes. > [...] >> >> Now I find out that it was never intended to work and that it was >> >> never an "AllowUnverifiedNodes" replacement. >> > >> >Sure it was. "Unverified" and "Invalid" are the same concept: >> >'attested to as likely to be okay by the directory server.' The only >> >that has changed is the name. >> > >> >> Did you read Roger Dingledine 16 Aug 2006 13:42:17 -0400 Re: Tor bug?: >> AllowInvalidNodes >> >> who wrote (short version): >> >> "The fundamental confusion here is that the word 'invalid' means many >> things to many people, but it means pretty much nothing to Tor. The >> exit.pl script that Geoff wrote and runs on Serifos uses the phrase "not >> a valid Tor server" to mean "not a Tor server as far as I know". The >> word "valid" with respect to the AllowInvalidNodes config option is >> simply defined as "not manually designed by the directory authorities >> as invalid". >> >> " >> >> Are you argueing with this definition of INVALID as opposed to the >> original "Unverified" definition? Or are you now informing us that >> for some whole now the term "unverified" has always mbeen >> meaningless? if so for how long has this been so?) > Hm? No, they both meant "attested to as likely to be ok". In the old > days, directory authorities attested to servers as ok when they admins > told them to, and the admins told them to as they got mail claiming to > be from server admins. We thought that this was a bad idea and > created a false sense of security. Now, directory authorities attest > to servers as ok when the servers seem to be running, and the admins > have not told them to consider the servers suspicious. > The version 2 directory specification came into use during the Tor > 0.1.1.x series, says: > "Valid" -- a router is 'Valid' if it seems to have been running > well for a while, and is running a version of Tor not known to be > broken, and the directory authority has not blacklisted it as > suspicious. > [...] >> >Because "Verified" was a stupid name. It implied that we had a good >> >way to go out and tell whether a node's operator was honest, upright, >> >and competent, and whether the node was physically secure and >> >non-eavesdropped. >> > >> It implied you at least knew who they said they were (not that you >> knew they were what they said). > Though that's what it meant in practice, that's not the interpretation > of "verified" that I'd have made. Moreover, it's not IMO a useful > property to have. Knowing who the adversary claims to be is only > effective against an adversary who can't or won't lie about who they > are. > [...] >> >If you know a way to do this, please let us know. We're all ears. >> >Please keep in mind that we haven't got much cash to do this with, and >> >what cash we do have, we'd rather spend on rent and food and) >> >developing Tor. >> >> You poor penniless, overworked person. Why dont you ask all the >> VERIFIED TOR operators to VERIFY the new TOR operators, within say >> 50-100miles (100-200km) of them (or closest one). >> >> I'll do 100mile radius (UK) of Portsmouth UK - but only if you "veryify" me. > It's not a bad idea. Time permitting, a web-of-trust kind of system > might be neat to do. Of course, we'd need think about what effect > this will have on route-based partitioning, and on possibly > discouraging operators from running servers if they need to meet other > operators face-to-face to do so. And how hard is it really to foil a > face-to-face meeting? These are neat questions. > (Please forgive us if someday we eventually start doing this, and pick > trust seeds in the UK from among people we already know and trust. > I'm sure you would do the same.) >> >[...] >> >> If some "unverifiednode" exit server adversary has set themselves up >> >> in business of monitoring TOR users then isnt it because >> >> "AllowUnverifiedNodes" was removed (effectively). >> > >> >Right, you're confirming that we were right to change "Verified" to >> >"Valid". Apparently, you *did* think that "verified" was a magicial >> >stamp of good intentions. >> > >> Well darling that is what it said... no? > Sorry, I don't think it ever said it was a magical stamp of good > intentions. If we said that, that was a stupid thing for us to say, > and I'm glad we changed it. >> >[...] >> >> Personally, I think its irrelevant today, that at one time persons >> >> had to be known personally to run a verified server. Quaint but >> >> irrelevant. But hey, I dont mind having someone round to my place >> >> from the UK to verify me. Why not have 3 levels of security - level >> >> 2 - Registered - just what we have now. Level 1 - Verified - visit >> >> their setup. Level 3 - unregistered & unverified. And give us a >> >> config statement to use these levels or not. >> > >> >Dude, we're not going to impose a worldwide server auditing system. >> >We're not going to visit server operators' houses. Even if it did, >> >what would it prove? Any organization could set up servers in a bunch >> >of its members' houses. Are we supposed to do background checks? >> > >> Chikita, you really must put your thinking cap on and stop ignoring >> the obvious. I said.. > ITYM "chiquita", but I am not a little girl. >> Level 2 - registered - eg those that register their server name, >> provide their real name and address. Do a web credit check - simple >> and cheap. Get them to donate a COUPLE OF DOLLARS FOR THAT. Just >> send them a registration code in the post to their credit card >> address - the one they donated with and the address they gave for >> it. Of course they can still forge this - but would they? With lots >> of servers? >> >> Level 1 - verified - eg a visit from a VERIFIED operator after >> provision (copies) of household bills, local tax statement, or >> identification of company or org if an org, isp verification. Once >> again, of course they can still forge this darling - but would they? >> With lots of servers? >> >> You could even sub-level the Levels with a safety value. > Wow. In my opinion, this would be tons of effort, would not pay for > itself, would turn operators away, would create a risk of information > leakage leading to identity theft, and would still be easy for > governments and nefarious organizations to subvert. (Your security > model above seems based on the idea that the attacker can do things, > but wouldn't think it was worth the resources. I worry that the > resource cost on server operators would also discourage them from > running good nodes.) > I realize that I could be wrong here; I'm just pointing out that this > is not a trivial idea, and it's not an obviously unalloyed win. >> >> On a related issue, I have attempted to the "ExcludeNodes" config >> >> and it doesnt seem to work. I am sure that of the dozens of nodes >> >> I've tried to exclude (and failed to exclude - test only) ALL of >> >> them cannot be my "guard" nodes. Ok this might only be winOS, >> >> perhaps everyone should check it out for themselves. Just to be >> >> sure. I've noticed others have seen similar. Re-check. >> > >> >ExcludeNodes *is* supposed to work. If it doesn't, submit a bug >> >report. Warning! You will need to describe *exactly* what you did, >> >and *exactly* what Tor did in response. Logs will help. This is too >> >hard for many people. >> >> Well hey thankyou for the advice. Without Vidalia working on Win2k >> i'm stuffed, buit then you knew that didnt you. > No, I'm afraid I didn't know that; I genuinely would like this feature > to work. If vidalia isn't working for you, you could possibly try > editing your torrc? No pressure; I don't mean for this to be any kind > of accusation or anything. Just... if you want us to fix something > that seems to work for us, we need information on how it's broken. >> >frustratedly yrs, >> >> I believe you. Its always frustrating when people start asking >> questions about subjects you would really like swept under the >> carpet and forgotten. >> >> Just remember to answer them with politeness and integrity. And you >> wont go far wrong. If not you might be mistaken for a dictatorial >> pleb with an axe to grind. > My apologies for my unprovoked rudeness. I like to think of free > software as a darwinian meritocracy rather than a dictatorship, and > would certainly hope that if Roger and I do a bad job as developers, > the community will realize this, try to talk us info doing something > sensible, fork Tor if we don't, and stop us from harming the world any > further. > But seriously, we're trying to do our best here. > yrs,
