Re: [Sks-devel] Tor hidden service - what's the rationale?
On Sat, 2015-11-14 at 01:15 +0100, Hendrik Grewe wrote: > I would imagine not leaving the tor network through an exit is the > benefit. And what should be the benefit of that? If tor works right, there is none, if it doesn't there wouldn't be any either, when you "not leave it" when you hit the hidden service. > Why does facebook run a Hidden Service [0]? Wild guess: Marketing & hype Why do google/Yahoo/MS/whatsapp, etc. propagate their "cool" crypto stuff, which is actually useless in the end? People feel good. > There where some thoughts one could create a profile by just looking > at > the metadata (from keyserver operator or eavesdropper on the line) > while > key-refresh request from a given peer. Thats why tools like > parcimonie > [1a/b] where developed. Those use a new circuit for every single > key-refresh. I think there's a lot difference between that, which works on the client side, and what we'd need on the server side. We share all keys, and every single update... this hughe pile of data flow possibly makes it way easier for an attacker... than the few 100 or perhaps 1000 keys a normal user may have. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tor hidden service - what's the rationale?
On Fri 2015-11-13 20:36:40 -0500, Alain Wolf wrote: > On 14.11.2015 at 01:23, Christoph Anton Mitterer wrote: >> On Sat, 2015-11-14 at 01:15 +0100, Hendrik Grewe wrote: >>> I would imagine not leaving the tor network through an exit is the >>> benefit. >> And what should be the benefit of that? > What is the benefit of leaving Tor? There are definitely more benefits to operating a Tor "hidden service" than server location privacy. The Tor folks even acknowledge as much with their proposal for "direct onion" services: https://gitweb.torproject.org/user/special/torspec.git/tree/proposals/xxx-direct-onion.txt?h=xxx-direct-onion For example, this allows the server operator to accept traffic that is indistinguishable from Tor relay traffic. It also allows end users to look up the location of the service without using the DNS at all. Those of us who have set up Tor hidden services are under no illusion that we are some kind of superspooks or that this makes our users magically invisible. We're simply offering a service to eliminate one more piece of visible metadata from the network for people who prefer to minimize metadata. Yes, there are more pieces of metadata that leak elsewhere. Some of us are actually working on those too. That doesn't mean we shouldn't stop the gaps we know how to stop. --dkg ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tor hidden service - what's the rationale?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 14.11.2015 at 01:23, Christoph Anton Mitterer wrote: > On Sat, 2015-11-14 at 01:15 +0100, Hendrik Grewe wrote: >> I would imagine not leaving the tor network through an exit is the >> benefit. > And what should be the benefit of that? What is the benefit of leaving Tor? > If tor works right, there is none, if it doesn't there wouldn't be any > either, when you "not leave it" when you hit the hidden service. The benefit is, that no exit node and no one else on the Internet (outside tor) can profile your communications habits and partners. Its your address book which you send over there. I assume most clients do that unencrypted (partly because of the manual steps needed to install Kris root cert for hkps). As a agency, with this meta-data I won't even need your client IP. Its worth a lot more. We made good progress in encrypting mail-client-to-server connections in the last years. We are still working, but slowly progressing on server-to-server mail encryption. But people continue to happily send their complete address-books over the net unencrypted trough HKP. And as you seem not to like HKPS either ... > hkps is IMHO only little help there, especially as it has the big > problem of the strict hierarchical trust... But now that you have been given the possibility of an encrypted connection for your client, without hierarchy, but with the added benefit of the clients IP anonymity, and yet you still complain. What is it that you want? > > >> Why does facebook run a Hidden Service [0]? > Wild guess: Marketing & hype All services I provide, public or private, or just personal, are also reachable as Tor hidden services. The time and cost I need to set up a hidden service is a fraction of what I need for any conventional service, by adding a real IP, firewall rules, DNS entries, TLS keys and certificates etc. etc. . As long as this is easier to setup, why make clients leave the the Tor network, if we both are already inside it? > > Why do google/Yahoo/MS/whatsapp, etc. propagate their "cool" crypto > stuff, which is actually useless in the end? > People feel good. > I know anybody could just smash the glass of any window to break into my apartment. Still I lock the front-door every morning when I leave my home. Cheers Alain -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJWRpAoXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0MUZCNTk1QTJGOTRBMzc5OUE2QTQwNDgy N0E2OUZDOUExNzQ0MjQyAAoJECemn8mhdEJCXuwP+wRCQDkwuket2SPIEg2n7b0h VCMqq2OcnP6VGJijUcHAm+S16VoBBHW7zOEfuFgOYUBzqwqcOigrKO8jnj6DTi68 Kjp2AQrMdSt5jTC+H+/eLkU7IE8x66BfzZSJHUBbROeB/3+Hx87y4sMeaqdgmXEO yQ6u8m/ENe39owKzfKhQwdy4BTdMsv09bZGv33tIVMS8ICj24Fuc73yz2KIVN+Fd q2bjdw1J7yJWC622SWgkODEgOyh/A63KNrdFK6eWucKo+/SnBcOLRaAPFAkD+KOV B6L102rkXfmwgl1/tMFw/a7DTyaKk5b4Mj2qPyM1e2aGoJ6lQ74sDdeWDVbtNGKy Rf/bRCZPAOvZS3k5VRUEz5tKDQ9uC/FrLbxwFX02InNTo8gfDWelEd1XdiMD1HPw Fr81hFMgxggT3TQIp6bI2lG/qMEg5tbGyp5GWdTVeFu8yNY3FF8RXPnjjOL7KcoW O235pkFUxtv3k6dh17onBwDfCd316E3h/DZGNxHgYuby+zWKXtfhArERpMV/cDOa 3XXEP12vVQ6oHWiq4qDLdnSuP/ZSMkulUdHcS/lAjiEpHSLZm24hqE7wixH3Bxbd uAy3aHNFuuLLQA7nU9BFo1uWh8TIK/HW5lDKdE2jje3Wz6b2kpdX3ZBtl1DUEJgT NY+K/4byNW8lJVXZnjhI =MhUf -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tor hidden service - what's the rationale?
> I'm not sure whether burn care would be really an issues for (most of) > us... at least not as long cryptography itself isn't made "illegal". > Our services are typically not illegal or morally questionable...so > even if "they" would come after you... well... so what? The "so what?" is, if "they" come after you then you're no longer anonymous. Your anonymous server is no longer anonymous. You need to start over again in order to re-establish a new anonymous server. And that's burn care -- "how do I resume normal operations after I've been burned?" ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tor hidden service - what's the rationale?
On Sat, 2015-11-14 at 02:36 +0100, Alain Wolf wrote: > >And what should be the benefit of that? > What is the benefit of leaving Tor? Well you can't argue like that, can you? At least it alone wouldn't be argument enough for me to set up such service. Running additional code, here tor, always means additional risk for the server operator. More code, more possible vulnerabilities. And more important... it easily gives people a wrong sense of security... "oh... that keyserver is a hidden tor service, so the bad guys can't catch them and temper with" > > If tor works right, there is none, if it doesn't there wouldn't be > > any > > either, when you "not leave it" when you hit the hidden service. > The benefit is, that no exit node and no one else on the Internet > (outside tor) can profile your communications habits and partners. And, to my knowledge (though I must admit that I'm not a Tor theorist), this is no difference to just the client running tor. As I server operator, I still see some IP,... just that it's not an exit node, but the last hop. Or is there any statement from the Tor guys or any paper which shows that tor get's more secure for the client, when there is no exiting? The only thing I know would be the encryption, but that's not really helpful for our usage scenario - the encryption that tor would have, and that we wouldn't have between the exit node and the non-hidden server, doesn't really give us anything, as there is already no trust relationship between server and client. > Its your address book which you send over there. I assume most > clients > do that unencrypted (partly because of the manual steps needed to > install Kris root cert for hkps). Still, the hidden server doesn't prevent this... at least not more as normal Tor would do it until there's another exit node chosen. The only thing, AFAIU, that helps here is that the client rotates his requests between many servers. > We made good progress in encrypting mail-client-to-server connections > in > the last years. We are still working, but slowly progressing on > server-to-server mail encryption. But people continue to happily send > their complete address-books over the net unencrypted trough HKP. Valid point, but I don't see how Tor alone would solve this, and especially not how hidden services improve that. > And as you seem not to like HKPS either ... > > hkps is IMHO only little help there, especially as it has the big > > problem of the strict hierarchical trust... > But now that you have been given the possibility of an encrypted > connection for your client, without hierarchy, but with the added > benefit of the clients IP anonymity, and yet you still complain. > What is it that you want? The strict hierarchy of X509, which we have with hkps is only the tip of the iceberg, as Kristian would be ultimately the one who's in control (@Kristian, don't take that personally :) ... sure you're a good guy, but in principle we must assume that each of us could be evil). What you apparently miss, is that the HKPS gives you no trust relation to the server, at least nothing more than TOFU like. You know (more or less certain) that you connected to the same server again,... great,... so what? It doesn't even give you a small hint of identity of the operator (Kristian doesn't verify this) and more importantly, even if it would, there was no prof that the operator gives you proper data. Anyone can set up a keyserver, ask Kristian for a cert or do the tor hidden server, even Agent Smith. > > > Why does facebook run a Hidden Service [0]? > > Wild guess: Marketing & hype > All services I provide, public or private, or just personal, are also > reachable as Tor hidden services. > The time and cost I need to set up a hidden service is a fraction of > what I need for any conventional service, by adding a real IP, > firewall > rules, DNS entries, TLS keys and certificates etc. etc. . > > As long as this is easier to setup, why make clients leave the the > Tor > network, if we both are already inside it? Uhm that seems a bit strange... how could it be easier? You still have to do all the real IP stuff, at least for Tor itself. Anyway, as long as there's no true security benefit behind, I remain sceptic that this rather lures people into a false sense of security. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
