On Wed, Apr 17, 2013 at 12:04:52AM +0530, mahesh wrote:
Hi, I am a third year undergraduate student of Information Technology at PICT, Pune, India. I'm dying to contribute to tor community as I use it a lot. There's an opportunity for me in GSOC-2013. I read tor's idea page and came to know that would have to contribute to existing project. But, I would like to propose a new project. I came across this problem statement from a friend of mine who is journalist. He says, most of the times he don't have his laptop with him so he cant access tor from a CyberCafe as they won't let him download the bundle. So, I propose that there should be a web server to handle tor requests over http. I did my study and think its feasible but let me know everyone else's thought on it.
Mahesh
I think this is an interesting idea (will have to read the paper Paul linked to see what conclusions were already formulated), but there are a number of ways to look at this.
(These are possibly flawed/have holes in them, so please plug them)
1) We don't know the threat model going into this discussion, so "what could go wrong?". That being said,
2) I think it may have its purpose (and there is a threat model that supports this), the example already mentioned being one of them (with some assumptions). Without special treatment, the connection basically turns into a nondeterministic four-hop proxy (well, the last three hops are nondeterministic).
3) As was mentioned, this will be just one additional avenue where end users may be confused about the protection actually provided to them. There have been numerous discussion about Tor2Web on IRC and how users have been confused by the urls (there have likely been discussions elsewhere, as well) and I would say that this idea actually takes Tor2Web one step further (about four hops further, actually) such that it allows access to hidden services and the internet (with all of the advantages and disadvantages).
4) Who do you trust? With this remote-proxy, it really depends on what you're looking to gain from using the Tor network. Are you looking for a censorship circumvention tool? Then you probably don't want to use a remote-proxy node run by the censorer or any of it's allies. If you're looking to remain anonymous...well, anonymous with respect to whom, I suppose?
Again, I don't think this idea is too far fetched (I'm not sure as to the size of this project and its appropriateness for GSoC) but this will add just one more item to the list of tools about which end users will need to be educated. Remember, in general, the easier something is to use, the less secure it it. However, on the flip side, the more users using Tor, the more traffic on the network and therefore the harder it will be to "de-anonymize" a user (for some definition of that).
Hopefully I'm not too far off-base with this assessment.
All the best,
Matt