Today I read some technical documents at http://www.torproject.org which
is a project that tries to enhance anonymity of Internet users, or allow
Internet users to circumvent censorship.
With Tor, your outgoing connections will be routed (using encryption) to
a chain of random Tor servers, until a Tor exit node will perform your
desired connection to the intended destination.
Let's speculate there might be a CA that has been forced to work with
some secret service to issue false certificates (this has been recently
described as "compelled CAs").
Until now, I had assumed, the effect of such an abuse of CA powers would
be geographically limited.
If a secret service (or a government agency) were able to control
Internet traffic from all users in a geographic area (or all customers
of an ISP) so that it were routed through some gateway device, and the
gateway used a compelled certificate to allow for sniffing, the affected
Internet users would still be limited to the geographical area where the
secret service is active.
But what would happen if the secret service decided to set up lots of
TOR servers and exit nodes?
If they did, as a result, a percentage of Tor users from elsewhere on
the planet would get routed through the remote spying gateway device,
too, wouldn't they?
I've asked on the Tor IRC channel, and was told that a person running an
exit node can manipulate all outgoing traffic in any way they wish, and
that manipulated DNS settings on the exit node system would be effective
for fulfilling outgoing requests of Tor users.
Although I had considered to use or support Tor, I'm worried that it
might (theoretically) enable some unknown remote entities to spy on me,
even if I use end-to-end-cryption (SSL). Am I paranoid, or are my
thoughts making sense?
I'm worried that using Tor would be counterproductive if the compelled
CA scenario were not hypothetical.
Maybe I should have posted this to a Tor newsgroup, but I believe it's
of interest to this group as well, and I'll make the Tor developers
aware of this post.
Regards,
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto