[tor-talk] security tradeoffs - was Tor and Financial Transparency

mirimir mirimir at riseup.net
Sat Aug 31 00:27:52 UTC 2013


On 08/30/2013 11:18 PM, Juan Garofalo wrote:

> At 10:34 PM 8/30/2013 +0000, you wrote:
>> On 08/30/2013 10:06 PM, Juan Garofalo wrote:
>> 
>>> At 11:33 AM 8/30/2013 -0400, Paul S. wrote:
>> 
>> SNIP
>> 
>>>> See all the research on the issues trade-offs, threats,
>>>> designs, etc. that Tor Project Inc. employees, government
>>>> employees, university and corporate researchers, and lots of
>>>> others have done trying to design for a diverse userbase. 
>>>> www.freehaven.net/anonbib/ is a fine place to start. If you
>>>> can come up with better designs, we would love to have them.
>> 
>> SNIP
>> 
>>> For what it's worth : trying to have a diverse and big user base,
>>> and providing security for all users seems to be impossible. You
>>> either provide relatively good security for a small number of
>>> sensitive users, or relatively lax security for 'general' users.
>> 
>> As I understand Tor, that's precisely what Tor doesn't do. Its goal
>> is providing security through relatively-strong anonymity to all
>> users.
>> 
>> If, by "relatively lax security for 'general' users", you're
>> referring to having NoScript configured by default to allow all
>> sites, that's arguably the best option for most users.
> 
> 
> That would be one example. Support for flash videos (or not) is
> probably another example. Should people install addons they use in
> their non-Tor browser? etc.

The canonical answer is "no". But I'm sure that you know that.

I do agree that warnings about such modifications could be more
prominent. Perhaps they should appear in bolded capitals on the
"Congratulations, you are using Tor" page ;)

>> Any user can choose to block scripts by default on all sites, or
>> allow on a per-site basis, trading off anonymity for protection
>> against script-based exploits.
> 
> 
> ...which is not a choice the 'typical' user with basic knowledge of
> computers can make? Buffer overruns? What?

I agree that it's fairly easy to miss that little NoScript alert button
to the left of the address bar. Again, I believe that this issue
deserves a far more prominent warning.

>> Also, any user who's that concerned about script-based exploits
>> ought to be running the Tor client and their apps in separate
>> machines, or at least in separate VMs. No?
> 
> Perhaps.
> 
> But doesn't that contradict what you said at the beginning?
> 
> "[Tor's] goal is providing security through relatively-strong
> anonymity to all users."

As discussed on Tor's blog, it's a trade-off. Arguably, far more
clueless noobs would be put at risk through deanonymization via browser
signature than by exploits on high-risk hidden services. That's the Tor
Project's position, as I read it.

And I still maintain that users who visit high-risk hidden services are
responsible for properly securing their systems. But again, maybe that
should also appear in prominent warnings.

Probably the best advice that I've ever seen was on the Freedom Hosting
site ;) If you like, I'll send you a copy.

>> SNIP
>> 
>> 
>> -- tor-talk mailing list - tor-talk at lists.torproject.org To
>> unsusbscribe or change other settings go to 
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 



More information about the tor-talk mailing list