Re: [tor-talk] How to find trust nodes?
On 9/28/17, Jason Longwrote: > Excuse me if I say it, but your answers make me confuse more!!! I guess > there is no guarantee about Tor nodes. correct > Governments and bad people can launch > a Tor node and sniff Tor users traffic and... Take a look at http://www.ex-parrot.com/pete/upside-down-ternet.html and then think about what anonymous bad people operating exit nodes could do to you. Think about how to defend against whatever you came up with.. Do you pay attention to Firefox security notices? Ever pay attention to how much time elapses between a FF 'remote code execution' vuln being published & you updating to a version of the tor browser that has the fix? Have fun! Lee -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
On Thu, 28 Sep 2017 07:31:56 +, Jason Long wrote: > I guess there is no guarantee about Tor nodes. What kind of guarantee do you expect? That, in case you get busted because someone figures out how to trace you despite using tor, they will send a small army to free you from the prison some dictator put you in because of that? Andreas -- "Totally trivial. Famous last words." From: Linus TorvaldsDate: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
There can be no guarantees - all software has bugs. However Tor Project people are making best efforts to help users get anonymity and security. https://blog.torproject.org/tor-social-contract TorBrowser cannot protect you against exit relay operators who sniff the contents of traffic. You must ensure that URLS of sites you go to start with HTTPS so that the connections are encrypted. Tor Project tries to find bad relays: https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays Note that governments have legitimate uses for Tor and therefore they have motivation to run well-configured nodes. See the list of "Who Uses Tor?" on the home page https://www.torproject.org/ On 28/09/17 03:31 AM, Jason Long wrote: > Excuse me if I say it, but your answers make me confuse more!!! I guess there > is no guarantee about Tor nodes. Governments and bad people can launch a Tor > node and sniff Tor users traffic and... > > On Thu, 9/28/17, Seth David Schoen <sch...@eff.org> wrote: > > Subject: Re: [tor-talk] How to find trust nodes? > To: tor-talk@lists.torproject.org > Date: Thursday, September 28, 2017, 1:41 AM > > George writes: > > > But ultimately, Tor's topography > mitigates against one of the three > > > nodes in your circuit being compromised. If the first hop > is > > compromised, then they only know who > you are, but not where your > > destination > is. If the last hop is compromised, they only know where > > you're going, but not who you are > (unless your providing clear text of > > > personally identifying information). > > A challenge is that there are threat models in > which a considerable number > of Tor users may > be exposed, at least for some of their circuits. > > * If a single adversary runs > several fast nodes that are popular and whose >relationship to each other is undisclosed, a > pretty high amount of traffic >may select > that adversary's nodes as entry and exit nodes for the > same >circuit. The guard node design > gives a relatively low probability of this >happening to any individual user with > respect to any individual >adversary in > any specific time period, but doesn't guarantee that > it >would be a particularly rare event for > Tor users as a whole. > > * If > adversaries cooperate, they can get benefits equivalent to > running many >nodes even though each one > only runs a few. > > * If an > adversary can monitor network activity and see both entry > and exit >points, for a given circuit, it > can perform correlations even though >it > doesn't operate any nodes. Or, an adversary that can > monitor some >networks can increase its > chance of getting visibility of both ends of >a connection by also operating some nodes, > since some users whose entry >or exit > activity the adversary otherwise wouldn't have been able > to >monitor from network surveillance > alone may sometimes randomly choose to > > use that adversary's nodes in one of these positions. > > * An adversary that can > monitor some kind of public or private online >activity can perform coarse-grained timing > correlation attacks between >its own entry > nodes (or parts of the Internet where it can see Tor >node entry) and the online activity that it > can see. For example, if a >user > regularly uses Tor to participate in some kind of public > forum, >public chat, etc., the adversary > could gather data about how entry >traffic > that it can see does or doesn't correlate with that > participation. >Or if an adversary can > obtain logs about the use of a particular online >service, even though those logs aren't > available to the general public, >it can > also correlate that statistically with entry data that it > has >available for some other reason. > > The "good news" is > that a given Tor user is probably not very likely to > be vulnerable to many of these attacks from > many adversaries when using > Tor infrequently > or for brief periods. Yet many of these attacks would > work at least some of the time against a pretty > considerable amount of > Tor traffic. > > I agree with your point that > just having more random people run nodes > helps decrease the probability of success of > several of these attacks. > > -- > Seth Schoen <sch...@eff.org> > Senior Staff Technologist > https://www.eff.org/ > Electronic Fronti
Re: [tor-talk] How to find trust nodes?
On Thu, 28 Sep 2017, at 14:10, Jonathan D. Proulx wrote: > The design of Tor is that you don't need to trust all the nodes. You > just need to be sure the first one and the last in any connection > chain aren't run by the *same* malicious actor. You don't even have to know how to use the email, the case of Jonathan D. Proulx -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
On Thu, Sep 28, 2017 at 07:31:56AM +, Jason Long wrote: :Excuse me if I say it, but your answers make me confuse more!!! I guess there is no guarantee about Tor nodes. Governments and bad people can launch a Tor node and sniff Tor users traffic and... The design of Tor is that you don't need to trust all the nodes. You just need to be sure the first one and the last in any connection chain aren't run by the *same* malicious actor. : :On Thu, 9/28/17, Seth David Schoen <sch...@eff.org> wrote: : : Subject: Re: [tor-talk] How to find trust nodes? : To: tor-talk@lists.torproject.org : Date: Thursday, September 28, 2017, 1:41 AM : : George writes: : : > But ultimately, Tor's topography : mitigates against one of the three : > : nodes in your circuit being compromised. If the first hop : is : > compromised, then they only know who : you are, but not where your : > destination : is. If the last hop is compromised, they only know where : > you're going, but not who you are : (unless your providing clear text of : > : personally identifying information). : : A challenge is that there are threat models in : which a considerable number : of Tor users may : be exposed, at least for some of their circuits. : : * If a single adversary runs : several fast nodes that are popular and whose : relationship to each other is undisclosed, a : pretty high amount of traffic : may select : that adversary's nodes as entry and exit nodes for the : same : circuit. The guard node design : gives a relatively low probability of this : happening to any individual user with : respect to any individual : adversary in : any specific time period, but doesn't guarantee that : it : would be a particularly rare event for : Tor users as a whole. : : * If : adversaries cooperate, they can get benefits equivalent to : running many : nodes even though each one : only runs a few. : : * If an : adversary can monitor network activity and see both entry : and exit : points, for a given circuit, it : can perform correlations even though : it : doesn't operate any nodes. Or, an adversary that can : monitor some : networks can increase its : chance of getting visibility of both ends of : a connection by also operating some nodes, : since some users whose entry : or exit : activity the adversary otherwise wouldn't have been able : to : monitor from network surveillance : alone may sometimes randomly choose to : : use that adversary's nodes in one of these positions. : : * An adversary that can : monitor some kind of public or private online : activity can perform coarse-grained timing : correlation attacks between : its own entry : nodes (or parts of the Internet where it can see Tor : node entry) and the online activity that it : can see. For example, if a : user : regularly uses Tor to participate in some kind of public : forum, : public chat, etc., the adversary : could gather data about how entry : traffic : that it can see does or doesn't correlate with that : participation. : Or if an adversary can : obtain logs about the use of a particular online : service, even though those logs aren't : available to the general public, : it can : also correlate that statistically with entry data that it : has : available for some other reason. : : The "good news" is : that a given Tor user is probably not very likely to : be vulnerable to many of these attacks from : many adversaries when using : Tor infrequently : or for brief periods. Yet many of these attacks would : work at least some of the time against a pretty : considerable amount of : Tor traffic. : : I agree with your point that : just having more random people run nodes : helps decrease the probability of success of : several of these attacks. : : -- : Seth Schoen <sch...@eff.org> : Senior Staff Technologist : https://www.eff.org/ : Electronic Frontier Foundation : https://www.eff.org/join : 815 Eddy Street, San Francisco, CA 94109 : +1 415 436 9333 x107 : -- : tor-talk mailing list - tor-talk@lists.torproject.org : To unsubscribe or change other settings go : to : https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk : : -Inline Attachment Follows- : : :-- :tor-talk mailing list - tor-talk@lists.torproject.org :To unsubscribe or change other settings go to :https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
Excuse me if I say it, but your answers make me confuse more!!! I guess there is no guarantee about Tor nodes. Governments and bad people can launch a Tor node and sniff Tor users traffic and... On Thu, 9/28/17, Seth David Schoen <sch...@eff.org> wrote: Subject: Re: [tor-talk] How to find trust nodes? To: tor-talk@lists.torproject.org Date: Thursday, September 28, 2017, 1:41 AM George writes: > But ultimately, Tor's topography mitigates against one of the three > nodes in your circuit being compromised. If the first hop is > compromised, then they only know who you are, but not where your > destination is. If the last hop is compromised, they only know where > you're going, but not who you are (unless your providing clear text of > personally identifying information). A challenge is that there are threat models in which a considerable number of Tor users may be exposed, at least for some of their circuits. * If a single adversary runs several fast nodes that are popular and whose relationship to each other is undisclosed, a pretty high amount of traffic may select that adversary's nodes as entry and exit nodes for the same circuit. The guard node design gives a relatively low probability of this happening to any individual user with respect to any individual adversary in any specific time period, but doesn't guarantee that it would be a particularly rare event for Tor users as a whole. * If adversaries cooperate, they can get benefits equivalent to running many nodes even though each one only runs a few. * If an adversary can monitor network activity and see both entry and exit points, for a given circuit, it can perform correlations even though it doesn't operate any nodes. Or, an adversary that can monitor some networks can increase its chance of getting visibility of both ends of a connection by also operating some nodes, since some users whose entry or exit activity the adversary otherwise wouldn't have been able to monitor from network surveillance alone may sometimes randomly choose to use that adversary's nodes in one of these positions. * An adversary that can monitor some kind of public or private online activity can perform coarse-grained timing correlation attacks between its own entry nodes (or parts of the Internet where it can see Tor node entry) and the online activity that it can see. For example, if a user regularly uses Tor to participate in some kind of public forum, public chat, etc., the adversary could gather data about how entry traffic that it can see does or doesn't correlate with that participation. Or if an adversary can obtain logs about the use of a particular online service, even though those logs aren't available to the general public, it can also correlate that statistically with entry data that it has available for some other reason. The "good news" is that a given Tor user is probably not very likely to be vulnerable to many of these attacks from many adversaries when using Tor infrequently or for brief periods. Yet many of these attacks would work at least some of the time against a pretty considerable amount of Tor traffic. I agree with your point that just having more random people run nodes helps decrease the probability of success of several of these attacks. -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -Inline Attachment Follows- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
How can I find a good node that configured strongly? On Wed, 9/27/17, George <geo...@queair.net> wrote: Subject: Re: [tor-talk] How to find trust nodes? To: tor-talk@lists.torproject.org Date: Wednesday, September 27, 2017, 11:18 PM Jason Long: > Hello. > How can I sure a Tor node that I connected to it is secure and is not a NSA or CIA node? You can't ensure that none of the Tor nodes in a particular three-node circuit aren't run by some three-letter government agency. There are regular checks about expired versions of Tor, poorly configured Tor policies on nodes, or other explicit bad things, but those only catch the most obvious insecurities. You can run your own relay or bridge, which could at least ensure one hop isn't compromised, not to mention the benefit for the many other Tor users. But ultimately, Tor's topography mitigates against one of the three nodes in your circuit being compromised. If the first hop is compromised, then they only know who you are, but not where your destination is. If the last hop is compromised, they only know where you're going, but not who you are (unless your providing clear text of personally identifying information). This happens to be why that quiet individual who runs one bridge or relay is so vital to the integrity of the network. g -- 5F77 765E 40D6 5340 A0F5 3401 4997 FF11 A86F 44E2 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
On Wed, Sep 27, 2017 at 5:03 PM, Petruskowrote: > Ouch ! Please NO ! Well it is perhaps possible to avoid that to you, by this user completely sequestering the node from you operator access, other than to allow you operator payment to hosting account. User must still then investigate the HW and SW, which can assure only themselfs, not similarly trustfully out to the rest of the users, since as such this user is then effectively operator. So it is back to, for any explicit trust upon a node, all three must be continually investigated... operator, HW, SW. Else you rely on theories of goodwill and random chance. Unfortunately or not, that appears to be viewed as sufficient, as even modest proposals of establishing optional Web of Trust among operators, and community analysis of meta parameters of nodes into optionally subscribable lists of nodes to use... have not been taken up and tried as projects yet. #OpenFabs, #OpenHW, #OpenSW, #OpenOperator -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
George writes: > But ultimately, Tor's topography mitigates against one of the three > nodes in your circuit being compromised. If the first hop is > compromised, then they only know who you are, but not where your > destination is. If the last hop is compromised, they only know where > you're going, but not who you are (unless your providing clear text of > personally identifying information). A challenge is that there are threat models in which a considerable number of Tor users may be exposed, at least for some of their circuits. * If a single adversary runs several fast nodes that are popular and whose relationship to each other is undisclosed, a pretty high amount of traffic may select that adversary's nodes as entry and exit nodes for the same circuit. The guard node design gives a relatively low probability of this happening to any individual user with respect to any individual adversary in any specific time period, but doesn't guarantee that it would be a particularly rare event for Tor users as a whole. * If adversaries cooperate, they can get benefits equivalent to running many nodes even though each one only runs a few. * If an adversary can monitor network activity and see both entry and exit points, for a given circuit, it can perform correlations even though it doesn't operate any nodes. Or, an adversary that can monitor some networks can increase its chance of getting visibility of both ends of a connection by also operating some nodes, since some users whose entry or exit activity the adversary otherwise wouldn't have been able to monitor from network surveillance alone may sometimes randomly choose to use that adversary's nodes in one of these positions. * An adversary that can monitor some kind of public or private online activity can perform coarse-grained timing correlation attacks between its own entry nodes (or parts of the Internet where it can see Tor node entry) and the online activity that it can see. For example, if a user regularly uses Tor to participate in some kind of public forum, public chat, etc., the adversary could gather data about how entry traffic that it can see does or doesn't correlate with that participation. Or if an adversary can obtain logs about the use of a particular online service, even though those logs aren't available to the general public, it can also correlate that statistically with entry data that it has available for some other reason. The "good news" is that a given Tor user is probably not very likely to be vulnerable to many of these attacks from many adversaries when using Tor infrequently or for brief periods. Yet many of these attacks would work at least some of the time against a pretty considerable amount of Tor traffic. I agree with your point that just having more random people run nodes helps decrease the probability of success of several of these attacks. -- Seth SchoenSenior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
George: > nusenu: >> >> >> George: >>> There are regular checks about expired versions of Tor >> >> Can you elaborate on that? > > As per this thread about Atlas reporting: > > https://lists.torproject.org/pipermail/tor-relays/2017-August/012715.html > > Although I'm not aware of any active notifications about versions. This is just about displaying an information on atlas, but that has no real effect on the relay or their usage by tor clients. I do not think that there is a tor version expiration (other than specifically and manually removing severely broken versions via directory authorities). https://lists.torproject.org/pipermail/tor-dev/2017-September/012444.html -- https://mastodon.social/@nusenu twitter: @nusenu_ signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
nusenu: > > > George: >> There are regular checks about expired versions of Tor > > Can you elaborate on that? As per this thread about Atlas reporting: https://lists.torproject.org/pipermail/tor-relays/2017-August/012715.html Although I'm not aware of any active notifications about versions. g -- 5F77 765E 40D6 5340 A0F5 3401 4997 FF11 A86F 44E2 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
George: > There are regular checks about expired versions of Tor Can you elaborate on that? -- https://mastodon.social/@nusenu twitter: @nusenu_ signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
grarpamp : > On Wed, Sep 27, 2017 at 3:04 PM, Jason Longwrote: >> How can I sure a Tor node that I connected to it is secure and is not a NSA >> or CIA node? > Go meet the operator and conduct an anal probe on them Ouch ! Please NO ! -- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5 signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
On Wed, Sep 27, 2017 at 3:04 PM, Jason Longwrote: > How can I sure a Tor node that I connected to it is secure and is not a NSA > or CIA node? Go meet the operator and conduct an anal probe on them far more intensive and long running than an SF-86 SSBI. Parallel to that, go image the node, try to find reproducible source code version to it, and pay $1M for a full audit. Then go ask Intel / AMD about what's really inside their chips. Then verify if the chips in the box are what rolled off the fab. Or note improved odds with tor's multiple hops, plus user opsec and defense in depth, pursuant to reading whitepapers detailing exploits against tor and your entire stack and usage. A non generic answer depends on your use case and threat model. Once you can articulate those, you'll be closer to finding an answer. Without them, we probably aren't able to be of much help. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to find trust nodes?
Jason Long: > Hello. > How can I sure a Tor node that I connected to it is secure and is not a NSA > or CIA node? You can't ensure that none of the Tor nodes in a particular three-node circuit aren't run by some three-letter government agency. There are regular checks about expired versions of Tor, poorly configured Tor policies on nodes, or other explicit bad things, but those only catch the most obvious insecurities. You can run your own relay or bridge, which could at least ensure one hop isn't compromised, not to mention the benefit for the many other Tor users. But ultimately, Tor's topography mitigates against one of the three nodes in your circuit being compromised. If the first hop is compromised, then they only know who you are, but not where your destination is. If the last hop is compromised, they only know where you're going, but not who you are (unless your providing clear text of personally identifying information). This happens to be why that quiet individual who runs one bridge or relay is so vital to the integrity of the network. g -- 5F77 765E 40D6 5340 A0F5 3401 4997 FF11 A86F 44E2 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk