[tor-dev] Hidden service policies

Wed Jul 23 12:27:15 UTC 2014

>
> (Aside: I think this thread is unrelated enough to tor-dev at this point
> that I'm going to make this my last reply.)
>

That's too bad - I was only answering questions you posed yourself. Happy
to continue debating off list. Still, I think discussion of features that
could increase usage are on topic. There's a similar thread about creating
social rewards for relay operators after all.

Re: technological attacks/partitioning. I did not respond to this because I
didn't understand the attack you're proposing, that's why I asked for a
step-by-step example against a hypothetical Snowden blog. But your answer
starts with "first, you break Tor's security". That's not something that HS
policies makes newly possible. If you can pwn the users TBB download or
impersonate the directory authorities you win no matter what:  HS policies
are irrelevant.

I don't think there's any new technical attack HS policies would open up,
if they were done in the same way as exit policies. From the perspective of
an HS trying to initialise, it'd just be equivalent to having a smaller
network. As you already said you'd happily sacrifice the ~5000 nodes that
don't exit traffic because they're harming Tor's anonymity, presumably a
smaller network isn't a big deal for you?

If there's a specific technical attack that doesn't rely on general attacks
against Tor, I'm still keen to hear a step by step example of how to do it.

Re: politics. Yes it's a largely political argument. That's fine: Tor is a
political animal, it has got a lot of funding from organisations with
explicitly political agendas, the "who uses tor" section on the front page
is full of characters with political goals like activists and
whistleblowers. Tor does not exist independent of politics - politics
should inform its technical design decisions (and does already).

Re: TBB. The consequence of TBB not having any setting below "extreme" is
not at all minimal, as you claim, it's a probably severe reduction in usage
that could insulate Tor against political pressure. I claim this because in
my former job I saw the different usage levels of HotSpot Shield vs Tor.
Yes, for the small number of users who might get shot they need and should
have that hard core, no compromises mode. For everyone else who would like
some additional privacy but who isn't worried about getting shot, the
consequence of Tor's current approach is that they just don't use Tor.

The same is true of other functions, like running a relay. Having knobs
people can tweak is not weakness. It's acceptance of the fact that not
*everyone* who wants to have privacy is Tank Man, and not *everyone* who
wants to contribute to privacy feels ransomware/revenge porn sites are as
worthy of protection as newspaper dropboxes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140723/50e8b473/attachment.html>