[tor-talk] Should I warn against Tor?

Jens Lechtenboerger tortalk at informationelle-selbstbestimmung-im-internet.de
Sat Jul 6 12:12:27 UTC 2013


On Sa, Jul 06 2013, Roger Dingledine wrote:

> On Sat, Jul 06, 2013 at 12:46:17PM +0200, Jens Lechtenboerger wrote:
>> 1. If you are using Tor, you should assume that all your network
>> traffic gets stored, analyzed, and de-anonymized by intelligence
>> agencies.
>
> I don't want to tell you to stop worrying, but depending on how much
> you think these intelligence agencies collaborate, I think the "and
> de-anonymized" phrase might be overstated. For example, I would not be
> surprised if French intelligence doesn't has enough of a reach on the
> Internet to be able to break Tor easily -- simply because they haven't
> made enough deals with enough backbone providers relative to the locations
> of big Tor relays. Maybe they trade data with England and the US, but
> then again maybe they don't (or don't trade all of it).

I don’t worry about the French too much.  I don’t think that the
British need much collaboration, though.

> One of the unfortunate properties of the Internet is how it's much less
> decentralized than we'd like (and than we used to think). But there are
> still quite a few different places that you need to tap in order to have
> a good chance of beating a Tor circuit. For background, you might like:
> http://freehaven.net/anonbib/#feamster:wpes2004
> http://freehaven.net/anonbib/#DBLP:conf:ccs:EdmanS09
> and there's a third paper in this chain of research which I'm hoping
> the authors will make public soon -- stay tuned.

I’ll have a look.  Thanks for the pointers.

>> 2. If you do not use Tor, you should be aware that your ISP could
>> spy on all of your network traffic, while part of it (that part
>> passing tapped IXes) gets stored and analyzed by intelligence
>> agencies.
>
> I think you're underestimating the problem here. You say "Part of my
> traffic does not need to flow through big pipes and IXes but stays in
> local, untapped regions of the Internet." I think for the typical web
> user, basically _every single page they visit_ pulls in a component that
> goes through these 'big pipes' you refer to.

Thanks for that reminder.  Some of my browsers don’t do that, but
it’s easy to forget.

However, I wasn’t only thinking about the Web, but also things like
chat and ssh, which I might torify.

> In short, I think web users are in bad shape using Tor if their adversary
> is "every intelligence agency combined", but they're in way way worse
> shape when not using Tor.

I didn’t mean to imply that “combination” was necessary.

> While I'm at it -- you don't think Deutsche Telekom has a deal with
> BND where they hand over all the internal German Internet traffic they
> see?

I’m not sure about that.

> I hope the era where people say "My government is doing everything
> that has been reported in the news so far, but surely they're not doing
> anything else" is finally over, but I guess it will be a while yet.

So do I.

Best wishes
Jens


More information about the tor-talk mailing list