[tor-talk] To Toggle, or not to Toggle: The End of Torbutton

Paul Syverson syverson at itd.nrl.navy.mil
Mon Apr 18 13:14:39 UTC 2011 

On Mon, Apr 18, 2011 at 07:09:35AM +0200, Moritz Bartl wrote:
> On 12.04.2011 16:59, Milton Scritsmier wrote:
> > After reading most of the replies to this topic, I'm not sure the
> > average user has weighed in. [...]
> 
> Thank you. This list is dominated, if not completely focused, on
> development and security research. The Torproject as a whole has for the
> last 10 years failed to split off a separate section for users (website,
> FAQ, mailing list, whatever). I don't think there is a proper way to do
> it and not duplicate stuff, however. There are a few other reasons that
> stopped Torproject from doing that, the most prominent I think always
> was that "devs should not lose contact with actual users".
> 
> > And so far I don't think anybody has solved the problem of a user
> > who understands relatively little about computers trying to remain
> > secure against a regime with vast resources and skills at its disposal.
> 
> I don't consider myself a security researcher, but I've been following
> the Tor project since its early days. The misconception and
> misunderstandings grew over time as the user base expanded, and while
> Torbutton is a great and excellent project, in a way it only further
> complicated things.
> 
> The problem is rooted in the vocabulary. I am not sure if it's the best
> thing to cite, and I am in no way educated enough to say it is the
> definitive guide, but as far as I know the "Anon Terminology" paper
> published by Andreas Pfitzmann since 2000 tried to form a definitive
> base for discussion. He collected, if not influenced, different terms
> around anonymity.
> 
> http://dud.inf.tu-dresden.de/Anon_Terminology.shtml
> 
> It's been a while since I've last read it, but if I remember correctly
> it fails to separate anonymity into different "types".
> 
> Anonymity is a hard term, and simply cannot be achieved when using
> electronic communication. Tor, without Torbutton, tries its best to
> anonymize *traffic*, ie. make it hard to know who is talking to whom.
> Tor does not, and never did, try to fix the problem of identifying
> information *inside* the transported data. Tor is completely neutral in
> that respect.
> 
> The problem is that a lot of applications transmit user identifyable
> information. It is not Tor's job to stop that, mostly because there is
> no way to know what kind of information is "identifying" in a certain
> situation, and if the user wants to transmit that kind of information in
> the first place.

The job of Tor has always been to separate identification from
routing. And that is how we've expressed it since the
beginning. Keeping this in mind makes it much easier than trying to
capture technical definitions for "anonyymity", which is pretty
complicated and subject of much research as well. When we do talk
about anonymity it helps to say that Tor anonymizes the communication
pipe, not the data that passes through it.

This isn't just to narrow the scope of the problem Tor addresses,
although that modularity is also a good thing. It is because we often
want to identify ourselves through the anonymous pipes Tor creates.
It is easy to forget that if you only think about looking at web sites
when you don't want the webserver to know it is you looking.  But, if
someone wants to login remotely to a system of hers, or to update her
blog without giving away where or who she is to anyone watching, then
she wants to both make sure that she is talking to the right system
(to make sure she isn't sending things to a receiver she doesn't want
getting those things) and that the system knows it's her (to prevent
any arbitrary person from doing what she's doing or pretending to
speak on her behalf). So she wants to identify and authenticate the
system, and she wants the system to identify and authenticate her.

> 
> Torbutton, despite its name, has nothing to do with Tor. It works great
> for any other proxy software, too. Torbutton does what Tor does not:
> Block application-specific information that could leak your identity
> without you explicitly telling it to do so. For that, it has to know the
> protocol and the application. Any other application or protocol could as
> well be "screened and cleaned" by something like Torbutton. For example,
> one could write a "BittorrentButton" for a torrent client.
> 
> In general, I find it hard to explain the difference, because the
> community lacks different names for the different properties that, as a
> whole, define "anonymity". At least I don't know how to separate these,
> but maybe I'm just not educated enough.


Actually we've had the terminology and conceptual machinery for at
least fifteen years. What I said above I also said in talks and papers
in 1996.  For example, "Our goal here is not to provide anonymous
communication but, to place identification where it belongs, The use
of a public network should not automatically reveal the identities of
communicating parties" --quoted from "Hiding Routing Information"
http://www.onion-router.net/Publications.html#IH-1996

Tor separates identification from routing so that your communication
gets where it needs to without identifying you---anonymizes the
communications pipe if you prefer. Torbutton toggles whether your
browser communicates through that pipe or not and helps filter and
manage some of what goes in or out of that pipe. This helps prevent you
from inadvertently sending identifying information through that pipe
and also helps prevent what comes through the pipe tricking your
computer into sending something in a way that bypasses the pipe and
its protections.

HTH,
Paul

More information about the tor-talk mailing list