Re: DuckDuckGo now operates a Tor exit enclave

[Gregory Maxwell]

On Sun, Aug 15, 2010 at 2:46 PM, Ted Smith  wrote:
> On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote:
>> 2. Why is it offering HTTP
>> If duckduckgo.com really cares for the anonymity and privacy of its
>> users, why do they offer unencrypted HTTP?
>> Even if tor users are encouraged to use HTTPS, some of them will
>> forget
>> doing so.
>
> There's no point in HTTPS if you're using an exit enclave. The traffic
> is encrypted in the Tor cloud, exits that cloud **on the service's
> localhost address**, and if it were encrypted, would be transmitted as
> ciphertext to the service port on the local interface.
>
> If you're proposing a threat model wherein loopback is an untrusted
> connection, you have bigger problems than, well, anything.

Except that users often won't use the exit enclave due to limitations in tor.

The first connection to a destination will not use the exit enclave
because prior to the first connection the node will be unaware of the
destination IP and thus unaware of the existence of the enclave.

Incomplete directory information can also cause nodes to not use enclaves.

Exits with falsified DNS will cause nodes not to use enclaves.

These weaknesses could all be reduced or eliminated, but I don't think
people have cared too much about the exit enclave functionality.
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: DuckDuckGo now operates a Tor exit enclave

[Ted Smith]

On Sun, 2010-08-15 at 17:40 +0200, Michael Scheinost wrote:
> 2. Why is it offering HTTP
> If duckduckgo.com really cares for the anonymity and privacy of its
> users, why do they offer unencrypted HTTP?
> Even if tor users are encouraged to use HTTPS, some of them will
> forget
> doing so. 

There's no point in HTTPS if you're using an exit enclave. The traffic
is encrypted in the Tor cloud, exits that cloud **on the service's
localhost address**, and if it were encrypted, would be transmitted as
ciphertext to the service port on the local interface.

If you're proposing a threat model wherein loopback is an untrusted
connection, you have bigger problems than, well, anything.


signature.asc
Description: This is a digitally signed message part

Re: DuckDuckGo now operates a Tor exit enclave

[Robert Ransom]

On Sun, 15 Aug 2010 17:40:16 +0200
Michael Scheinost  wrote:

> Hi all,
> 
> thanks a lot for your answers.
> I did some additional reading and now have a vague idea how tor exit
> enclaving works.
> As far as I understand, enclaving doesn't break tor anonymity and
> privacy. Quite contrary to this, anonymity may be even enhanced by it
> (https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#WhatisExitEnclaving).
> 
> On the other hand, there are still some points coming up with the post
> of Eugen that remain unclear to me:
> 
> 1. Eugen is posting this text from
> http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-operates-a-tor-exit-enclave.html
> without any comment to this mailinglist. This blog enrtry looks alot
> like an adveritsment to me. Eugens intentions are hidden. So perhaps he
> is connected to duckduckgo.com in some way or perhaps he is not.

I don't know whether Eugen Leitl is connected to DuckDuckGo, but he has
routinely posted/forwarded Tor-related news stories to the mailing
list.  Search for his name in the archives at
.

As for whether the blog post is an advertisement, Gabriel Weinberg
created, owns, and operates DuckDuckGo, and readers of his blog are
presumably interested in his business ventures and already aware of
DuckDuckGo.

> 2. Why is it offering HTTP
> If duckduckgo.com really cares for the anonymity and privacy of its
> users, why do they offer unencrypted HTTP?

From a comment posted by ‘phobos’ (Andrew Lewman) on
:

| The reason we as tor allow http and do not automatically redirect to
| https is that some companies and countries block ssl websites by
| default. I've seen this in action at a few banks around the world. They
| feel they need to surveil their employees to meet audit requirements.
| If we automatically redirected to the ssl site, many people would be
| sad. Some countries in the Middle East block ssl versions of sites, but
| not the non-SSL version. Simply forcing SSL everywhere is fraught with
| complexities. However, enabling SSL for users to choose is a fine
| option. You'll notice my links were to the ssl version of a site if it
| existed.

DuckDuckGo probably allows non-SSL access for the same reasons.

Also, they would need to have an HTTP service that redirects to their
HTTPS URL in order to support users typing ‘duckduckgo.com’ into a
browser without a URL scheme, such a redirect can't be sent before the
browser has sent the request (and URL) in the clear, and once the user
has sent a request in the clear, sending the response back in the clear
doesn't hurt their privacy any further.

> Even if tor users are encouraged to use HTTPS, some of them will forget
> doing so.



But it wouldn't be needed *if* you could ensure that you are using the
exit enclave.

> 3. "This site requires JavaScript."
> In my opinion this point is the worst: When I entered
> https://duckduckgo.com with NoScript enabled (my default) I can read the
> message "This site requires JavaScript." just below the search box. So
> duckduckgo.com wants its user to turn on java script. But with java
> script enabled your anonymity is nearly switched off.

It looks like they mainly use JavaScript to load search results lazily
(when the user scrolls down so that the end of the page is visible).
Their FAQ () says that they are
actively working on a non-JavaScript version.  I hope they finish it
soon; their site wedged my browser the first time I tried it.

For now, Torbutton can block many of the scary JavaScript-based attacks
while still allowing JavaScript to run.

> Perhaps duckduckgo.com's primary intention is not offering anonymous
> services. Probably they just want to offer another alternate search
> engine. And perhaps they just think offering a tor enclave is a nice
> addon. So perhaps in conclusion, they didn't think much about anonymity
> and privacy. I don't know it.



> But why was this ad posted to the tor mailinglist?

I don't know why Gabriel Weinberg didn't post a link to his blog post
to the list himself.  Advertisement or not, it is certainly an
appropriate news item for this list.


Robert Ransom


signature.asc
Description: PGP signature

Re: DuckDuckGo now operates a Tor exit enclave

[Michael Scheinost]

Hi all,

thanks a lot for your answers.
I did some additional reading and now have a vague idea how tor exit
enclaving works.
As far as I understand, enclaving doesn't break tor anonymity and
privacy. Quite contrary to this, anonymity may be even enhanced by it
(https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#WhatisExitEnclaving).

On the other hand, there are still some points coming up with the post
of Eugen that remain unclear to me:

1. Eugen is posting this text from
http://www.gabrielweinberg.com/blog/2010/08/duckduckgo-now-operates-a-tor-exit-enclave.html
without any comment to this mailinglist. This blog enrtry looks alot
like an adveritsment to me. Eugens intentions are hidden. So perhaps he
is connected to duckduckgo.com in some way or perhaps he is not.

2. Why is it offering HTTP
If duckduckgo.com really cares for the anonymity and privacy of its
users, why do they offer unencrypted HTTP?
Even if tor users are encouraged to use HTTPS, some of them will forget
doing so.

3. "This site requires JavaScript."
In my opinion this point is the worst: When I entered
https://duckduckgo.com with NoScript enabled (my default) I can read the
message "This site requires JavaScript." just below the search box. So
duckduckgo.com wants its user to turn on java script. But with java
script enabled your anonymity is nearly switched off.

Perhaps duckduckgo.com's primary intention is not offering anonymous
services. Probably they just want to offer another alternate search
engine. And perhaps they just think offering a tor enclave is a nice
addon. So perhaps in conclusion, they didn't think much about anonymity
and privacy. I don't know it.
But why was this ad posted to the tor mailinglist?

just my 2c, Michael
-- 
Michael Scheinost
mich...@scheinost.org
Jabber: m.schein...@jabber.ccc.de
GPG Key ID 0x4FF8E93B



signature.asc
Description: OpenPGP digital signature

Re: Tor Project 2008 Tax Return Now Online

[Jacob Appelbaum]

On 08/15/2010 02:56 AM, Anon Mus wrote:
> I think you'll find that Tor only became officially incapable of
> protecting from such an adversary around 2004/5 when numerous request to
> add this protection to Tor was made. Since then  its been the official
> policy not to protect from such a threat (so as to head off any
> complaints it does not do the job perhaps ??).
> 

[citation needed]

> It a good idea that you speak for Tor only, not other system here, where
> there are/have been genuine attempts to provide full anonymity, no get
> out clause.

Nice story, bro.

All the best,
Jake
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: Tor Project 2008 Tax Return Now Online

[Anon Mus]

Jimmy Dioxin wrote:

The US Government also gets extensive use out of Tor. Law enforcement
uses it for informants etc. As explained on the Tor website, this is
actually a good thing as it makes you more anonymous (are you a fed, a
journalist, somebody looking for porn, etc)

Jimmy Dioxin
  



Actually, you haven't really worked it out yet, so let me try and put 
you on the right track.


If you have no protection from a global adversary using timing attacks, 
who had such massive access then there is NO anonymity for the ordinary 
Tor user, because there is ALWAYS a timing attack solution (from 
automated passive data analysis) which identifies the originating ip 
making exit node to open net request. Even the location of Tor hidden 
services  and their users is easy (and automatic).


So it matters not a jot that the US mil or gov uses the Tor service 
itself, even assuming that they are not using a modified Tor client to 
improve their anonymity and possibly aso identify their streams from the 
rest (only they will know how this can be done) .


Think  military, think intel community and never assume they are 
"playing the game". What would you do in their jobs?

On 08/14/2010 07:26 AM, Anon Mus wrote:
  

Jimmy Dioxin wrote:


Hey Folks,

Cryptome has posted the Tor Project 2008 Tax Return available at:
http://cryptome.org/0002/tor-2008.zip

As many know, all US non-profit corporation returns are available upon
request by the public.

Firstly, people need to look through these returns in the same way we
audit code. Looking at funding sources and expenditures is important to
insuring Tor is a useful anonymity tool for years to come.

  
  

Thanks for this.

It looks like 90% of the funding is from the US, nearly all US government.


Internews Europe - France  $183,180 (35.6%)
(http://www.sourcewatch.org/index.php?title=Internews)
Stichting Nlnet - Netherlands   $42,931
International Broadcasting   $260,000 (50.5%))
(http://en.wikipedia.org/wiki/International_Broadcasting_Bureau)
Google US $28,500 (5.5%)

Total   $514,611


Add to this the number of Tor nodes run from US institutions (many at US
gov funded edu's) and  you should be able to see who that "Global
Adversary" is!

  US - GOV 

So perhaps we should not expect Tor to protect us from the hand that
feeds it (and anyone else who has access to their data)




Secondly, can the Tor project release these returns on the site for the
above purpose? I don't think there needs to be some onerous accounting
process for reporting to the public (ya'll have better things to do
anyways), but these returns would be nice to have in the interest of
transparency.

Thanks,
Jimmy Dioxin

  
  

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/




  


***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: Tor Project 2008 Tax Return Now Online

[Anon Mus]

Andrew Lewman wrote:

On Sat, 14 Aug 2010 12:26:57 +0100
Anon Mus  wrote:

  

It looks like 90% of the funding is from the US, nearly all US
government.


Internews Europe - France  $183,180 (35.6%)
(http://www.sourcewatch.org/index.php?title=Internews)
Stichting Nlnet - Netherlands   $42,931
International Broadcasting   $260,000 (50.5%))
(http://en.wikipedia.org/wiki/International_Broadcasting_Bureau)
Google US $28,500 (5.5%)

Total   $514,611



Last I checked, France


Yes France is in France, but IBM France  (called that for taxation 
purposes - I am sure you know this) is still a US company.


Similarly, Internews Europe - France, is still 80% US funded, and a US - 
GOV run propaganda org, as I am sure you know. Deceit or what?? Is that 
not your signature and handwriting on the tax return (I assume the 
handwriting is not yours as its so shocking, looks more like a that of a 
5y.o.) ?



 and the Netherlands


I never said this was, so why accuse me of that? Did doing that make you 
case stronger?

 aren't under US Government
rule.  Internews Europe is different from Internews, and funded
completely differently.

  


***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: Tor Project 2008 Tax Return Now Online

[Anon Mus]

Roger Dingledine wrote:

On Sat, Aug 14, 2010 at 12:26:57PM +0100, Anon Mus wrote:
  

It looks like 90% of the funding is from the US, nearly all US government.



If you know any funders outside the US who care about privacy, anonymity,
or circumvention, we're all ears. :)

  
I am certain there are funders outside the US but  whilst Tor remains a 
tool the US I would guess they'd be reticent to contribute and who could 
blame them.


Add to this the number of Tor nodes run from US institutions (many at US  
gov funded edu's) and  you should be able to see who that "Global  
Adversary" is!


  US - GOV 



Conspiracy theories aside, this is an important open research question
that still needs more research attention: if you can watch a given amount
of Internet backbone traffic, how much of the Tor network can you surveil?

Here are three papers to get you started if you want to learn more about
this issue:
http://freehaven.net/anonbib/#feamster:wpes2004
http://freehaven.net/anonbib/#DBLP:conf/ccs/EdmanS09
http://freehaven.net/anonbib/#murdoch-pet2007

Designs like Tor have always accepted that they will be vulnerable to
a global passive adversary:
https://svn.torproject.org/svn/projects/design-paper/tor-design.html#subsec:threat-model

  
I think you'll find that Tor only became officially incapable of 
protecting from such an adversary around 2004/5 when numerous request to 
add this protection to Tor was made. Since then  its been the official 
policy not to protect from such a threat (so as to head off any 
complaints it does not do the job perhaps ??).


It a good idea that you speak for Tor only, not other system here, where 
there are/have been genuine attempts to provide full anonymity, no get 
out clause.



>The key point to realize here is that you shouldn't so much think about
the locations of the Tor relays, but instead think about which networks
the communication between Tor users and the Tor network traverses,
and which networks the communication between the Tor network and the
destination services (e.g. websites) traverses. The Internet itself has
bottlenecks that make our task hard even if we could engineer a good
diversity of relay locations.

  


Conspiracy theorist slander aside, FACT:  in the mid-1990's IBM had 80% 
of the Global Internet Traffic flowiing through their servers, paid for 
by US military contracts, all routed through the US, so the US -GOV 
could spy on the global internet traffic.




>We can certainly imagine that some pieces of the US government have the
capability to tap large pieces of the Internet:
https://www.eff.org/nsa/faq

But what saves us here is that the US government, like all governments,
is not one person. It's a lot of different groups, all with different
goals and different capabilities.


That saves you??

Are you saying its not co-ordinated?  Did you once work for US - Gov - 
Mil  research?



>So a) that means some parts of the
government actually want to support freedom of speech and/or need for
themselves the security properties that Tor provides, and b) there's a
huge amount of bureaucracy to slow down coordination between different
pieces of the government -- so even if somebody at NSA can beat Tor,
that doesn't mean somebody at FBI can call him up and ask for answers.

--Roger

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

  

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/