[tor-talk] "Safeplug"

Mike Cardwell tor at lists.grepular.com
Tue Nov 26 10:54:58 UTC 2013

* on the Mon, Nov 25, 2013 at 11:27:43PM +0000, Jacob Appelbaum wrote:

>>>> You shouldn't just route people through Tor without their knowledge.
>>>> They need to understand the risks and adapt their use accordingly.
>>> And what is the risk of barebacking with a network?
>> When your traffic comes out of a Tor exit node, there is a significantly
>> increased risk of passive and active MITM attacks against you, and also
>> increased risk of being locked out of your accounts.
> What data do you have on passive and active MITM attacks on all of the
> internet when you compare it with Tor?

I don't have any hard data, it's just what I've casually observed. Take
from that what you will. I will explain my reasoning at the end of this

> Some systems will lock people's accounts - that is a reasonable concern.

Yes. Therefore my statement holds: "You shouldn't just route people
through Tor without their knowledge. They need to understand the risks
and adapt their use accordingly"

> We need these systems to better understand the Tor network, rather than
> simply punt and stick with the same FUD.

Yes, we need both ends of the connection to understand and account for the
problem of cycling IPs/countries.

>>> Does that user gather my consent for every action that will be tied
>>> to me? No.
>> I did not say, "don't route people through Tor". I said, "don't route
>> people through Tor without their knowledge."
> Consent goes n ways. As the network operator, I hope the user will
> understand that they need to protect themselves from my network and
> routing choices.

> Similarly, I will try to protect myself and my ISP from
> being harmed by a user or someone targeting one of those users.

> As an example, some people wish to deploy captive portals for gathering
> informed consent. This is a path of madness. In addition to the
> linguistic failures, I think the last thing we need is *more* blocking
> and filtering. A click through wrapper isn't useful for much other than
> a CYA approach to consent which seems... sad.
> Perhaps you have another way to suggest that we have informed them and
> they have adequate knowledge? I think that I rarely understand the MPLS
> tunnels between my DSL circuit and say, DuckDuckGo - do I really need to
> understand those details to use the network?

This whole thing is an idealism vs pragmatism argument. Your argument
relies on Tor being just another network like any other. Whereas I'm
saying it is different and therefore should be treated differently. I
don't have any data to back this up, so you'll probably just label it
FUD, but IMO a lot of the Exit nodes are malicious and you're much more
likely to have your traffic compromised by a seriously malicious hacker
when using Tor than when not. This is why I would not route my mums
traffic through Tor without making sure she understood the difference to
her "normal" Internet connection.

To be completely clear: Tor is one my favourite OSS projects. I think
it's a great and worthwhile piece of software and is very important for
many people. Hopefully one day in the not too distant future my C foo
will be good enough to contribute, I would love to be employed by the
Tor Project at some point. I don't wish to dissuade people from using
it. I just want people to be safe when they do.

If I, as a random geek, wanted to mess around with MITM attacks to see
what information I could steal, I have a few options: I could do it
on my LAN at home, targetting friends and family. I could do it at
work and risk my job. I could go to somewhere with an open wifi hot
spot and target a couple of coffee drinkers reading the news. Or I
could spend a couple of minutes setting up a Tor exit node from the
comfort of my office, getting sustained access to the traffic of
thousands of strangers all over the World. This is why I think
malicious Tor Exit nodes are widespread: Because setting them up is
easy, attractive and safe.

Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20131126/e5baf786/attachment.sig>

More information about the tor-talk mailing list