How can I trust all my Tor nodes in path

[Martin Toron]

Hi.

I have read in the Tor documentation that the number of Tor routers in a path 
is hard-coded at 3.  And I understand that the path changes every 10 minutes 
(except for active connections).

As a client not running a server, how am I sure that at least one of the nodes 
in the path can be trusted?

A little math:  assume there are 200 Tor routers, some of which have been 
compromised and owned by the same attacker.  If the number compromised is 
small, I can be somewhat confident that at least one router is trusted.  
However, suppose the attacker massed a "global attack" on the Tor network:  all 
at once the attacker introduces 10,000 new routers into the network, all of 
which he has control of.  Now, when I choose 3 routers for my path, I only have 
a few that may be trusted, which are in the original 200.

Has this problem been addressed elsewhere?

Thank you in advance.

 
-
Access over 1 million songs - Yahoo! Music Unlimited.

Re: How can I trust all my Tor nodes in path

[Robert Hogan]

On Friday 01 December 2006 17:35, Martin Toron wrote:
> Hi.
>
> I have read in the Tor documentation that the number of Tor routers in a
> path is hard-coded at 3.  And I understand that the path changes every 10
> minutes (except for active connections).
>
> As a client not running a server, how am I sure that at least one of the
> nodes in the path can be trusted?
>
> A little math:  assume there are 200 Tor routers, some of which have been
> compromised and owned by the same attacker.  If the number compromised is
> small, I can be somewhat confident that at least one router is trusted. 
> However, suppose the attacker massed a "global attack" on the Tor network: 
> all at once the attacker introduces 10,000 new routers into the network,
> all of which he has control of.  Now, when I choose 3 routers for my path,
> I only have a few that may be trusted, which are in the original 200.
>
> Has this problem been addressed elsewhere?
>
> Thank you in advance.
>
>

Take a look again at the FAQ. The anonymity of Tor isn't predicated on trust. 
All routers on the circuit could be malicious and still fail to find out who 
you are. The only one that has a real chance is the last one on the circuit, 
the exit node - and even this one will rely on it's ability to look at the 
content of your traffic.

That said, if someone owns all three nodes (or even the entry and exit) they 
could mount a timing attack and figure out who you are - at a stretch. But 
this really would require the entire network to be owned - and that itself 
would create a lot of noise to sift through.

See http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RemainingAttacks

The real danger with Tor is using sensitive information over http rather than 
https and mixing anonymous and non-anonymous traffic over the same circuit. 
Those two are the most common and most easy mistakes to make.

HTH,

-- 

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net

Re: How can I trust all my Tor nodes in path

[Tim Warren]

On 12/1/06, Robert Hogan <[EMAIL PROTECTED]> wrote:



The real danger with Tor is using sensitive information over http rather
than
https and mixing anonymous and non-anonymous traffic over the same
circuit.
Those two are the most common and most easy mistakes to make.



Maybe you could answer a question for me. Should I NOT login in to a site,
such as a bank, when using Tor? Or do I need to make sure it is https:?

Appreciate any clarification.

Thanks,

Re: How can I trust all my Tor nodes in path

[Robert Hogan]

On Friday 01 December 2006 20:55, Tim Warren wrote:
> On 12/1/06, Robert Hogan <[EMAIL PROTECTED]> wrote:
> > The real danger with Tor is using sensitive information over http rather
> > than
> > https and mixing anonymous and non-anonymous traffic over the same
> > circuit.
> > Those two are the most common and most easy mistakes to make.
>
> Maybe you could answer a question for me. Should I NOT login in to a site,
> such as a bank, when using Tor? Or do I need to make sure it is https:?
>
> Appreciate any clarification.
>
> Thanks,

If you use https (and your browser hasn't complained about the ssl 
certificate) you're fine.  The exit node can see everything (if they want) 
over http. 

Everything after the exit node is just as good or bad as if you weren't using 
tor. Tor just adds an extra guy to the chain of *reputable* carriers who 
*could* monitor your traffic - and it is best practice to assume that at 
least the tor exit node is doing exactly that. see http://tor.unixgu.ru


-- 

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net

Re: How can I trust all my Tor nodes in path

[Tim Warren]

Thank you, just trying to make sure I understand. I will also follow that
link.


On 12/1/06, Robert Hogan <[EMAIL PROTECTED]> wrote:


On Friday 01 December 2006 20:55, Tim Warren wrote:
> On 12/1/06, Robert Hogan <[EMAIL PROTECTED]> wrote:
> > The real danger with Tor is using sensitive information over http
rather
> > than
> > https and mixing anonymous and non-anonymous traffic over the same
> > circuit.
> > Those two are the most common and most easy mistakes to make.
>
> Maybe you could answer a question for me. Should I NOT login in to a
site,
> such as a bank, when using Tor? Or do I need to make sure it is https:?
>
> Appreciate any clarification.
>
> Thanks,

If you use https (and your browser hasn't complained about the ssl
certificate) you're fine.  The exit node can see everything (if they want)
over http.

Everything after the exit node is just as good or bad as if you weren't
using
tor. Tor just adds an extra guy to the chain of *reputable* carriers who
*could* monitor your traffic - and it is best practice to assume that at
least the tor exit node is doing exactly that. see http://tor.unixgu.ru


--

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net





--
Tim Warren
SD CA USA

Re: How can I trust all my Tor nodes in path

[Seth David Schoen]

Robert Hogan writes:

> Take a look again at the FAQ. The anonymity of Tor isn't predicated on trust. 
> All routers on the circuit could be malicious and still fail to find out who 
> you are. The only one that has a real chance is the last one on the circuit, 
> the exit node - and even this one will rely on it's ability to look at the 
> content of your traffic.
> 
> That said, if someone owns all three nodes (or even the entry and exit) they 
> could mount a timing attack and figure out who you are - at a stretch. But 
> this really would require the entire network to be owned - and that itself 
> would create a lot of noise to sift through.

Hmmm, if someone owns (not just eavesdrops on) all three nodes, they can
connect the sessions in a more reliable way than just a timing attack.
One approach would be to record TCP port pairs, which temporarily identify
a connection on one end with a connection on the other end.  For example,
my local machine knows that I'm currently using TCP port 43514 to make a
connection to the SSH service on the server; the server also knows that
the client connecting to it is using TCP port 43514.  Thus, both ends know
that client:43514 <> server:22 (at this particular moment) refers to
the same TCP session.

Tor nodes could log this information, and, if they did, it would not be
a speculative matter to link circuits across servers.  You would have
the existence of the TCP connections

client:a <---> tornode1:9001
tornode1:b <---> tornode2:9001
tornode2:c <---> tornode3:9001
tornode3:d <---> host:e

where a, b, c, and d are randomly chosen TCP ports and e is the TCP
port used by host for contacting a service (such as 443 for HTTPS).
If all of the Tor nodes were paying attention, then

tornode1 knows that its connections involving client:a and tornode1:b are
part of the same circuit

tornode2 knows that its connections involving tornode1:b and tornode2:c are
part of the same circuit

tornode3 knows that its connections involving tornode2:c and host:e are
part of the same circuit

Knowing all of these facts, these nodes could deduce that client:a and
host:e are actually communicating with one another.  This is not a
"timing attack" and does not rely on observing any packets actually
transmitted across the fully-established circuit.

Malicious nodes that log this kind of information could also collaborate
after the fact to correlate it, without recording large quantities of
timing information.  They just need TCP port pairs and accurate times
when TCP connections were established.

Summary: 3 malicious nodes, whether owned by the same entity or not, can
work together to identify, in a straightforward and reliable way, the
endpoints of a Tor circuit while the circuit is active or afterward,
without having to do any timing attacks.

To learn more about the relevance of TCP port numbers as connection
identifiers, see RFC 793 or try running netstat (or netstat -p, if
your implementation supports it) on the machines on both sides of a
connection.  Observe that, with the output of netstat -p on both
ends, one can see which processes on one machine are talking to which
processes on the other machine.

-- 
Seth Schoen
Staff Technologist[EMAIL PROTECTED]
Electronic Frontier Foundationhttp://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110 1 415 436 9333 x107

Re: How can I trust all my Tor nodes in path

[Seth David Schoen]

P.S. Even if it weren't possible to use TCP ports to link connections,
malicious nodes controlled by the same party could modify the Tor
protocol to add tracking features, and then all implement the same
tracking features.  For example, malicious nodes (which could all
know about each other by means of a malicious nodes table) could
implement a revised Tor protocol which adds a connection origin packet
(showing the originating IP address) during Tor connection setup.
Since the nodes are malicious, they will speak the same modified
protocol amongst themselves but not reveal this fact to the end user.

Some people have suggested that this is a good application for
trusted computing; proxies could prove that they're running the
real, official proxy software on top of real hardware.  Then timing
attacks are still possible, but actually logging data directly could
be prevented.  The problem with this seems to be that intentionally
doing timing attacks directly against a proxy you operate, from within
the same network, is probably pretty effective!  This approach might
be more relevant to lower-latency anonymity services such as e-mail
remailers.

-- 
Seth Schoen
Staff Technologist[EMAIL PROTECTED]
Electronic Frontier Foundationhttp://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110 1 415 436 9333 x107

Re: How can I trust all my Tor nodes in path

[Mike Perry]

Thus spake Robert Hogan ([EMAIL PROTECTED]):

> On Friday 01 December 2006 20:55, Tim Warren wrote:
> > On 12/1/06, Robert Hogan <[EMAIL PROTECTED]> wrote:
> > > The real danger with Tor is using sensitive information over http rather
> > > than
> > > https and mixing anonymous and non-anonymous traffic over the same
> > > circuit.
> > > Those two are the most common and most easy mistakes to make.
> >
> > Maybe you could answer a question for me. Should I NOT login in to a site,
> > such as a bank, when using Tor? Or do I need to make sure it is https:?
> >
> > Appreciate any clarification.
> >
> > Thanks,
> 
> If you use https (and your browser hasn't complained about the ssl 
> certificate) you're fine.  The exit node can see everything (if they want) 
> over http. 
> 
> Everything after the exit node is just as good or bad as if you weren't using 
> tor. Tor just adds an extra guy to the chain of *reputable* carriers who 
> *could* monitor your traffic - and it is best practice to assume that at 
> least the tor exit node is doing exactly that. see http://tor.unixgu.ru

It is also wise not to log in to any form over plain http, even if the
form posts to an https url. This is true not just over Tor, but pretty
much anywhere an attacker can manage to position themselves to rewrite
your traffic, which is pretty much anywhere.

Many, many, many banking sites completely disregard this attack vector
in favor of ease of use. Even if the target action of a form is https,
if you have retrieved the form via plain http, that post can be
rewritten to go anywhere. An http redirect later and you're logged in
to your banking site, no harm no foul. Except to your account balance,
of course :)

If your bank is braindamaged in this way, usually giving it a bullshit
login until you can verify you are actually connected via https to it
is probably the easiest way to deal with this.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Re: How can I trust all my Tor nodes in path

[Mike Perry]

Thus spake Martin Toron ([EMAIL PROTECTED]):

> Hi.
> 
> I have read in the Tor documentation that the number of Tor routers
> in a path is hard-coded at 3.  And I understand that the path
> changes every 10 minutes (except for active connections).
> 
> As a client not running a server, how am I sure that at least one of
> the nodes in the path can be trusted?
> 
> A little math:  assume there are 200 Tor routers, some of which have
> been compromised and owned by the same attacker.  If the number
> compromised is small, I can be somewhat confident that at least one
> router is trusted.  However, suppose the attacker massed a "global
> attack" on the Tor network:  all at once the attacker introduces
> 10,000 new routers into the network, all of which he has control of.
> Now, when I choose 3 routers for my path, I only have a few that may
> be trusted, which are in the original 200.
> 
> Has this problem been addressed elsewhere?

So I'm guessing you're thinking something like someone heading over to
Amazon's Elastic Computing Cloud and setting up 10,000 tor servers?

I believe tor servers have to be manually approved by tor-ops before
they begin to be used for normal traffic. This used to be the case at
least. Perhaps it has been abandoned due to scaling issues?

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Re: How can I trust all my Tor nodes in path

[Nick Mathewson]

Hi, Seth!

On Fri, Dec 01, 2006 at 01:15:39PM -0800, Seth David Schoen wrote:
 [...]
> Hmmm, if someone owns (not just eavesdrops on) all three nodes, they can
> connect the sessions in a more reliable way than just a timing attack.
> One approach would be to record TCP port pairs, which temporarily identify
> a connection on one end with a connection on the other end.  For example,
> my local machine knows that I'm currently using TCP port 43514 to make a
> connection to the SSH service on the server; the server also knows that
> the client connecting to it is using TCP port 43514.  Thus, both ends know
> that client:43514 <> server:22 (at this particular moment) refers to
> the same TCP session.

Actually, Tor tunnels multiple circuits over each TLS connection, so
remembering ports won't do the job.  An attacker who can compromise an
entire circuit's worth of servers will also need to remember the
circuit IDs for each circuit.  Still, it wouldn't be hard for an
attacker to modify Tor to log this.


yrs,
-- 
Nick Mathewson


pgp4xeflwRoge.pgp
Description: PGP signature

Re: How can I trust all my Tor nodes in path

[Robert Hogan]

On Friday 01 December 2006 21:23, Seth David Schoen wrote:
>
> Some people have suggested that this is a good application for
> trusted computing; proxies could prove that they're running the
> real, official proxy software on top of real hardware.  Then timing
> attacks are still possible, but actually logging data directly could
> be prevented.  The problem with this seems to be that intentionally
> doing timing attacks directly against a proxy you operate, from within
> the same network, is probably pretty effective!  

You've lost me here - could you explain further? How would it prevent logging 
data?

> This approach might 
> be more relevant to lower-latency anonymity services such as e-mail
> remailers.

-- 

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net

Re: How can I trust all my Tor nodes in path

[Seth David Schoen]

Nick Mathewson writes:

> Hi, Seth!
> 
> On Fri, Dec 01, 2006 at 01:15:39PM -0800, Seth David Schoen wrote:
>  [...]
> > Hmmm, if someone owns (not just eavesdrops on) all three nodes, they can
> > connect the sessions in a more reliable way than just a timing attack.
> > One approach would be to record TCP port pairs, which temporarily identify
> > a connection on one end with a connection on the other end.  For example,
> > my local machine knows that I'm currently using TCP port 43514 to make a
> > connection to the SSH service on the server; the server also knows that
> > the client connecting to it is using TCP port 43514.  Thus, both ends know
> > that client:43514 <> server:22 (at this particular moment) refers to
> > the same TCP session.
> 
> Actually, Tor tunnels multiple circuits over each TLS connection, so
> remembering ports won't do the job.  An attacker who can compromise an
> entire circuit's worth of servers will also need to remember the
> circuit IDs for each circuit.  Still, it wouldn't be hard for an
> attacker to modify Tor to log this.

Whoops, thanks for the clarification!  That makes more sense.

-- 
Seth Schoen
Staff Technologist[EMAIL PROTECTED]
Electronic Frontier Foundationhttp://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110 1 415 436 9333 x107

Re: How can I trust all my Tor nodes in path

[Total Privacy]

"Tim Warren" <[EMAIL PROTECTED]> said:
> Maybe you could answer a question for me. Should I NOT login in to 
> a site, such as a bank, when using Tor? Or do I need to make sure 
> it is https:?
> 
> Appreciate any clarification.
> 
> Thanks,

I´ll put it this way, if you are registered as your real identity 
on your bank (and not going to hack somebody else´s account), then 
just log in by https directly from your machine/ISP. No need for 
hiding by using Tor. 

Then about malicious nodes. Since the Tor is be open source, it 
gotta be decompilable reversing ingengeering to whatever anybody 
want with it, such as example tap out data in between itself or 
log what in is what out to middle node and so on. If not, why not? 

A soution could be to set up a private "Tor police force" and let 
everyone that want to be accepted as a part of the system, sign 
a legally deal to let this international Tor police force (how 
about the name TPF or ITPF or TIPF) at any moment without warning 
run in to every Tor computer node/router room and get full access 
to everything in it. Of course the members of such "police force" 
should be hand picked by comprehensive test (lying detectors and 
lot of advanced stuff) to be legitimated. Every aproved Tor node 
runner should then be very happy to be granted vit such visit of 
the Tor International Police Force, because if they not find a 
compromised, modified, malicious Tor software, You´r clean! 

BTW, now I´ve also received a maybe fishing from "Hokata Japan Ltd" 
about some business and money transactions. Funny or not, the IP 
was from Italy! 

At last, I´m considerating to switch from Windows to Unix (Linux) 
and hope it is user friendly with Tor. Anybody knows about it? 

-- 
http://www.fastmail.fm - Does exactly what it says on the tin

Re: How can I trust all my Tor nodes in path

[Ringo Kamens]

Linux is very tor friendly. If you are a linux noob I suggest ubuntu. I
oppose the idea of a tor police force for several reasons:
1. Lie detectors don´t work
2. It is no better than the opressive governments tor tries to circumvent
3. It would take too much work.

I do appreciate the effort to find a solution. Perhaps there is a way that
tor clients to calculate a checksum of the server files?
Ringo Kamens


On 12/2/06, Total Privacy <[EMAIL PROTECTED]> wrote:


"Tim Warren" <[EMAIL PROTECTED]> said:
> Maybe you could answer a question for me. Should I NOT login in to
> a site, such as a bank, when using Tor? Or do I need to make sure
> it is https:?
>
> Appreciate any clarification.
>
> Thanks,

I´ll put it this way, if you are registered as your real identity
on your bank (and not going to hack somebody else´s account), then
just log in by https directly from your machine/ISP. No need for
hiding by using Tor.

Then about malicious nodes. Since the Tor is be open source, it
gotta be decompilable reversing ingengeering to whatever anybody
want with it, such as example tap out data in between itself or
log what in is what out to middle node and so on. If not, why not?

A soution could be to set up a private "Tor police force" and let
everyone that want to be accepted as a part of the system, sign
a legally deal to let this international Tor police force (how
about the name TPF or ITPF or TIPF) at any moment without warning
run in to every Tor computer node/router room and get full access
to everything in it. Of course the members of such "police force"
should be hand picked by comprehensive test (lying detectors and
lot of advanced stuff) to be legitimated. Every aproved Tor node
runner should then be very happy to be granted vit such visit of
the Tor International Police Force, because if they not find a
compromised, modified, malicious Tor software, You´r clean!

BTW, now I´ve also received a maybe fishing from "Hokata Japan Ltd"
about some business and money transactions. Funny or not, the IP
was from Italy!

At last, I´m considerating to switch from Windows to Unix (Linux)
and hope it is user friendly with Tor. Anybody knows about it?

--
http://www.fastmail.fm - Does exactly what it says on the tin

Re: How can I trust all my Tor nodes in path

[Watson Ladd]

Ringo Kamens wrote:
> Linux is very tor friendly. If you are a linux noob I suggest ubuntu. I
> oppose the idea of a tor police force for several reasons:
> 1. Lie detectors don´t work
> 2. It is no better than the opressive governments tor tries to circumvent
> 3. It would take too much work.
>  
> I do appreciate the effort to find a solution. Perhaps there is a way
> that tor clients to calculate a checksum of the server files?
> Ringo Kamens
Nope. At the very best case a VM could run tor halting on every
instruction, and logging the relevant parts of memory. Tor would be
unable to tell. That's why someone came up with Trusted Computing. But
that has enough evil uses to make its implementation a bad idea.
> 
>  
> On 12/2/06, *Total Privacy* <[EMAIL PROTECTED]
> > wrote:
> 
> "Tim Warren" <[EMAIL PROTECTED] > said:
> > Maybe you could answer a question for me. Should I NOT login in to
> > a site, such as a bank, when using Tor? Or do I need to make sure
> > it is https:?
> >
> > Appreciate any clarification.
> >
> > Thanks,
> 
> I´ll put it this way, if you are registered as your real identity
> on your bank (and not going to hack somebody else´s account), then
> just log in by https directly from your machine/ISP. No need for
> hiding by using Tor.
> 
> Then about malicious nodes. Since the Tor is be open source, it
> gotta be decompilable reversing ingengeering to whatever anybody
> want with it, such as example tap out data in between itself or
> log what in is what out to middle node and so on. If not, why not?
> 
> A soution could be to set up a private "Tor police force" and let
> everyone that want to be accepted as a part of the system, sign
> a legally deal to let this international Tor police force (how
> about the name TPF or ITPF or TIPF) at any moment without warning
> run in to every Tor computer node/router room and get full access
> to everything in it. Of course the members of such "police force"
> should be hand picked by comprehensive test (lying detectors and
> lot of advanced stuff) to be legitimated. Every aproved Tor node
> runner should then be very happy to be granted vit such visit of
> the Tor International Police Force, because if they not find a
> compromised, modified, malicious Tor software, You´r clean!
> 
> BTW, now I´ve also received a maybe fishing from "Hokata Japan Ltd"
> about some business and money transactions. Funny or not, the IP
> was from Italy!
> 
> At last, I´m considerating to switch from Windows to Unix (Linux)
> and hope it is user friendly with Tor. Anybody knows about it?
> 
> --
> http://www.fastmail.fm  - Does exactly what
> it says on the tin
> 
> 


-- 
They who would give up essential Liberty to purchase a little temporary
Safety, deserve neither Liberty or Safety
--Benjamin Franklin



signature.asc
Description: OpenPGP digital signature

Re: How can I trust all my Tor nodes in path

[Jeff]

Here's a thought... I was contemplating the ramifications of, say an  
exit node designed purely to log traffic directed through it. Assume  
the most malicious intent here too. Listening to every frame that  
comes out, you're bound to find something that leaks information. Has  
anyone considered a concept of listening on the client end and  
scrubbing anything that could identify (at least, electronically)  
you. Maybe there's a privoxy configuration or even something like a  
snort rule.


Has anyone given thought to some Tor-based snort rules? We could make  
at least outbound trivial into leaks (exact text of IP address,  
hostname, etc.) and detection of generic Tor traffic.


On 1-Dec-06, at 4:14 PM, Tim Warren wrote:

Thank you, just trying to make sure I understand. I will also  
follow that link.



On 12/1/06, Robert Hogan < [EMAIL PROTECTED]> wrote:
On Friday 01 December 2006 20:55, Tim Warren wrote:
> On 12/1/06, Robert Hogan <[EMAIL PROTECTED]> wrote:
> > The real danger with Tor is using sensitive information over  
http rather

> > than
> > https and mixing anonymous and non-anonymous traffic over the same
> > circuit.
> > Those two are the most common and most easy mistakes to make.
>
> Maybe you could answer a question for me. Should I NOT login in  
to a site,
> such as a bank, when using Tor? Or do I need to make sure it is  
https:?

>
> Appreciate any clarification.
>
> Thanks,

If you use https (and your browser hasn't complained about the ssl
certificate) you're fine.  The exit node can see everything (if  
they want)

over http.

Everything after the exit node is just as good or bad as if you  
weren't using
tor. Tor just adds an extra guy to the chain of *reputable*  
carriers who
*could* monitor your traffic - and it is best practice to assume  
that at
least the tor exit node is doing exactly that. see http:// 
tor.unixgu.ru



--

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net



--
Tim Warren
SD CA USA

Re: How can I trust all my Tor nodes in path

[Jeff]

On 1-Dec-06, at 5:29 PM, Robert Hogan wrote:


On Friday 01 December 2006 21:23, Seth David Schoen wrote:


Some people have suggested that this is a good application for
trusted computing; proxies could prove that they're running the
real, official proxy software on top of real hardware.  Then timing
attacks are still possible, but actually logging data directly could
be prevented.  The problem with this seems to be that intentionally
doing timing attacks directly against a proxy you operate, from  
within

the same network, is probably pretty effective!


You've lost me here - could you explain further? How would it  
prevent logging

data?

It's exactly right though! This has got to be the only good use of  
Trusted Computing I've ever seen!


Basically you know, and I know, precisely what's running on the  
machine. Say we share the secret keys of the tor nodes, they'd be  
guaranteed to be running a known, non-logging version of Tor!



This approach might
be more relevant to lower-latency anonymity services such as e-mail
remailers.


--

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net