On Thu, Jul 31, 2014 at 01:58:18PM -0700, Seth David Schoen wrote: > Roger Dingledine writes: > > > But in this particular case I'm stuck, because the arms race is so > > lopsidedly against us. > > > > We can scan for whether exit relays handle certain websites poorly, > > but if the list that we scan for is public, then exit relays can mess > > with other websites and know they'll get away with it. > > I think the remedy is ultimately HTTPS everywhere. Then the problem > is reduced to checking whether particular exits try to tamper with the > reliability or capacity of flows to particular sites, or with the public > keys that those sites present. (And figuring out whether HTTPS and its > implementations are cryptographically sound.)
It's not just about HTTP. We've also seen attacks targeting SSH, SMTP, IMAP, FTP, and XMPP. While SSH's trust-on-first-use works reasonably well and MitM attacks tend to be ineffective, XMPP is a different story with at least one major client having had issues with authentication. Cheers, Philipp -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
