Hints and Tips for Whistleblowers - their comments on Tor and SSL - I don't understand.
Kyle Williams
kyle.kwilliams at gmail.com
Wed Oct 27 23:49:47 UTC 2010
On Wed, Oct 27, 2010 at 11:50 AM, Sebastian Hahn <mail at sebastianhahn.net>wrote:
>
> On Oct 27, 2010, at 8:19 PM, Matthew wrote:
>
> Hello,
>>
>> There is a “Hints and Tips for Whistleblowers Guide” available at
>> http://ht4w.co.uk/.
>>
>> The section on proxies includes Tor-related information which I fail to
>> understand:
>>
>>
>> "You may actually get more anonymity when using the Tor cloud by not using
>> the https:// version of a web page (if there is an alternative,
>> unencrypted version available), since all the Tor traffic is encrypted
>> anyway between your PC and the final exit node in the Tor cloud, which will
>> probably not be physically in the United Kingdom."
>>
>>
>> ---I have no idea what this means. I thought the whole point of using
>> https:// was to prevent Tor exit nodes from snooping and / or potentially
>> injecting content.
>>
>>
>> "This applies especially to websites like the reasonably anonymous
>> whistleblowing website wikileaks.org (based in Sweden) , which offer both
>> http://, https:/and Tor Hidden Service methods of uploading whistleblower
>> leak documents, but who tend to, mistakenly, insist on using https://encryption for when someone comments on their wiki discussion pages. When
>> (not if) the wikileaks.org servers, or a blog or a discussion forum like
>> the activist news site Indymedia UK are physically seized (this happened to
>> IndyMedia UK at least 3 times now) , this may, in some circumstances, betray
>> the real IP addresses of commentators with inside knowledge of a
>> whistleblower leak i.e. suspects for a leak investigation."
>>
>>
>> -----How on earth can it be “mistaken” to insist on using https://encryption? Why would using https://"betray the real IP addresses"
>>
>>
> Hi,
>
> Wow. This is really dangerous misinformation, and I'm wondering what
> kind of person would give such intentionally harmful advice, marketing
> it at whistleblowers. Tor explicitly recommends using https wherever
> possible, whether you are using Tor or not. You're right to be
> suspicious of their advice. Attacking wikileaks for forcing the use of
> https is also just ridiculous.
>
>
> Sebastian***********************************************************************
>
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
>
The person(s) who wrote that article appear to not have a full understanding
of Tor, or security for that matter.
We all know that HTTPS is preferred to regular HTTP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101027/ed0219fb/attachment.htm>
More information about the tor-talk
mailing list