Re: [tor-talk] New SSLv3 attack: Turn off SSLv3 in your TorBrowser
On Tue, Oct 14, 2014 at 10:15:26PM -0400, Nick Mathewson wrote: Hi! It's a new month, so that means there's a new attack on TLS. This time, the attack is that many clients, when they find a server that doesn't support TLS, will downgrade to the ancient SSLv3. And SSLv3 is subject to a new padding oracle attack. There is a readable summary of the issue at https://www.imperialviolet.org/2014/10/14/poodle.html . Tor itself is not affected: all released versions for a long time have shipped with TLSv1 enabled, and we have never had a fallback mechanism to SSLv3. Furthermore, Tor does not send the same secret encrypted in the same way in multiple connection attempts, so even if you could make Tor fall back to SSLv3, a padding oracle attack probably wouldn't help very much. TorBrowser, on the other hand, does have the same default fallback mechanisms as Firefox. I expect and hope the TorBrowser team will be releasing a new version soon with SSLv3 enabled. But in the meantime, I think you can disable SSLv3 yourself by changing the value of the security.tls.version.min preference to 1. Obviously, this isn't a convenient way to do this; if you are uncertain of your ability to do so, waiting for an upgrade might be a good move. In the meantime, if you have serious security requirements and you cannot disable SSLv3, it might be a good idea to avoid using the Internet for a week or two while this all shakes out. Thanks Nick. Interestingly, but mostly uselessly for us, Mozilla published an extension[0] that does this. Unfortunately they say it only works on = FF26 (without tweaking it) and Tor Browser 3.6 is based on FF24. For what it's worth, the extension[0] should work with the new Tor Browser 4.0, but this is untested. If you do make this config change, when you visit a site that only supports SSLv3 or downgrades to it, you should receive a message that says: Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) For those wondering, this works exactly the same on Tails (1.1.2), too. (and yes, they spelled it cypher). I'm also curious what Mike, Georg, and the other TB Devs think. It looks we need to wait until November when SSL will be disabled in mainline Firefox[1]. [0] https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ [1] https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ best wishes to other residents of interesting times, -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New SSLv3 attack: Turn off SSLv3 in your TorBrowser
We are all just humans !!! Lluís Spain On 10/15/2014 04:23 AM, Nick Mathewson wrote: On Tue, Oct 14, 2014 at 10:15 PM, Nick Mathewson ni...@torproject.org wrote: I expect and hope the TorBrowser team will be releasing a new version soon with SSLv3 enabled. Whoops. That should have said disabled. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] howsmyssl
On Wed, 15 Oct 2014 02:53:03 + tor-talk-requ...@lists.torproject.org wrote: Hi! It's a new month, so that means there's a new attack on TLS. This time, the attack is that many clients, when they find a server that doesn't support TLS, will downgrade to the ancient SSLv3. And SSLv3 is subject to a new padding oracle attack. There is a readable summary of the issue at https://www.imperialviolet.org/2014/10/14/poodle.html . Tor itself is not affected: all released versions for a long time have shipped with TLSv1 enabled, and we have never had a fallback mechanism to SSLv3. Furthermore, Tor does not send the same secret encrypted in the same way in multiple connection attempts, so even if you could make Tor fall back to SSLv3, a padding oracle attack probably wouldn't help very much. TorBrowser, on the other hand, does have the same default fallback mechanisms as Firefox. I expect and hope the TorBrowser team will be releasing a new version soon with SSLv3 enabled. But in the meantime, I think you can disable SSLv3 yourself by changing the value of the security.tls.version.min preference to 1. To do that: 1. enter about:config in the URL bar. 2. Then you click I'll be careful, I promise. 3. Then enter security.tls.version.min in the preference search field underneath the URL bar. (Not the search box next to the URL bar.) 4. You should see an entry that says security.tls.version.min under Preference Name. Double-click on it, then enter the value 1 and click okay. You should now see that the value of security.tls.version.min is set to one. (Note that I am not a Firefox developer or a TorBrowser developer: if you're cautious, you might want to wait until one of them says something here before you try this workaround.) Obviously, this isn't a convenient way to do this; if you are uncertain of your ability to do so, waiting for an upgrade might be a good move. In the meantime, if you have serious security requirements and you cannot disable SSLv3, it might be a good idea to avoid using the Internet for a week or two while this all shakes out. best wishes to other residents of interesting times, -- Nick While on the topic, these links discuss this issue and provide a test for the TLS suite: https://blog.dbrgn.ch/2014/1/8/improving_firefox_ssl_tls_security/ https://www.howsmyssl.com/ The link states that: Another issue is the support for the SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher, which may or may not be a good idea to use: https://github.com/jmhodges/howsmyssl/pull/17. Firefox 26 supports cipher suites that are known to be insecure. This setting can also be disabled in the Firefox configuration. In the about:config screen, search for security.ssl3.rsa_fips_des_ede3_sha and disable it. Should this also occur in TBB? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] List Administrivia
please give ed snow den my e mail thanks i just got punkd 'Kenneth, what is the frequency circa 1986 Greg, I applaud your thoroughness in your search, in that you know he uses Tor, so you figure you might as well check here, but everyone here has said they can't help you. Several have offered up alternative venues (like contacting Greenwald). While you're at it, block this loser too. Expecting someone on tor-talk to hook you up with Snowden is unrealistic. Asking so many times was rude. I would agree with blocking Greg at this point. The emails are off-topic and mildly annoying. I would also tend to agree that asking repeatedly for someone to hook you up with Ed Snowden is rude. He has also emailed me personally off-list tried to get in touch with me in other venues. Thank you, Derric Atzrott -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] List Administrivia
ok Greg Curcio On Wed, Oct 15, 2014 at 6:57 AM, Derric Atzrott datzr...@alizeepathology.com wrote: please give ed snow den my e mail thanks i just got punkd 'Kenneth, what is the frequency circa 1986 Greg, I applaud your thoroughness in your search, in that you know he uses Tor, so you figure you might as well check here, but everyone here has said they can't help you. Several have offered up alternative venues (like contacting Greenwald). While you're at it, block this loser too. Expecting someone on tor-talk to hook you up with Snowden is unrealistic. Asking so many times was rude. I would agree with blocking Greg at this point. The emails are off-topic and mildly annoying. I would also tend to agree that asking repeatedly for someone to hook you up with Ed Snowden is rude. He has also emailed me personally off-list tried to get in touch with me in other venues. Thank you, Derric Atzrott -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] howsmyssl
guys, i am not trying to be rude. i'm a sensitive. never been called rude. i am 30 % fascinated by your back and forth. and 95% clueless i didnt know that you ALL can see what i wrote, i thought , or didnt think,:) it was like a regular chat, whomever was on at the time saw what i wrote, now i get it. Cant assume so much. like a lawyer or judge, and hopefully a reporter and a spy, they cant assume stuff. ok thanks. Greg Curcio On Wed, Oct 15, 2014 at 6:42 AM, bm-2ctjsegdfzqngqwuqjswro6jrwlc9b3...@bitmessage.ch wrote: On Wed, 15 Oct 2014 02:53:03 + tor-talk-requ...@lists.torproject.org wrote: Hi! It's a new month, so that means there's a new attack on TLS. This time, the attack is that many clients, when they find a server that doesn't support TLS, will downgrade to the ancient SSLv3. And SSLv3 is subject to a new padding oracle attack. There is a readable summary of the issue at https://www.imperialviolet.org/2014/10/14/poodle.html . Tor itself is not affected: all released versions for a long time have shipped with TLSv1 enabled, and we have never had a fallback mechanism to SSLv3. Furthermore, Tor does not send the same secret encrypted in the same way in multiple connection attempts, so even if you could make Tor fall back to SSLv3, a padding oracle attack probably wouldn't help very much. TorBrowser, on the other hand, does have the same default fallback mechanisms as Firefox. I expect and hope the TorBrowser team will be releasing a new version soon with SSLv3 enabled. But in the meantime, I think you can disable SSLv3 yourself by changing the value of the security.tls.version.min preference to 1. To do that: 1. enter about:config in the URL bar. 2. Then you click I'll be careful, I promise. 3. Then enter security.tls.version.min in the preference search field underneath the URL bar. (Not the search box next to the URL bar.) 4. You should see an entry that says security.tls.version.min under Preference Name. Double-click on it, then enter the value 1 and click okay. You should now see that the value of security.tls.version.min is set to one. (Note that I am not a Firefox developer or a TorBrowser developer: if you're cautious, you might want to wait until one of them says something here before you try this workaround.) Obviously, this isn't a convenient way to do this; if you are uncertain of your ability to do so, waiting for an upgrade might be a good move. In the meantime, if you have serious security requirements and you cannot disable SSLv3, it might be a good idea to avoid using the Internet for a week or two while this all shakes out. best wishes to other residents of interesting times, -- Nick While on the topic, these links discuss this issue and provide a test for the TLS suite: https://blog.dbrgn.ch/2014/1/8/improving_firefox_ssl_tls_security/ https://www.howsmyssl.com/ The link states that: Another issue is the support for the SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher, which may or may not be a good idea to use: https://github.com/jmhodges/howsmyssl/pull/17. Firefox 26 supports cipher suites that are known to be insecure. This setting can also be disabled in the Firefox configuration. In the about:config screen, search for security.ssl3.rsa_fips_des_ede3_sha and disable it. Should this also occur in TBB? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — October 15th, 2014
Tor Weekly News October 15th, 2014 Welcome to the forty-first issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community. Academic research into Tor: four recent studies --- Major contributions to the development and security of Tor are often made by academic researchers, either in a laboratory setting using network simulators like Shadow [1], or through measurement and analysis of the live network itself (taking care not to harm the security or anonymity of clients and services). Different aspects of Tor’s networking and security, from path selection to theoretical attacks, have been analysed in three recently-published studies. Otto Huhta’s MSc thesis [2] investigates the possibility that an adversary in control of a non-exit relay could link two or more Tor circuits back to the same client based on nothing more than timing information. As Otto explained [3], “this is mainly the result of the fixed 10 minute circuit lifetime and the fact that the transition to using a new circuit is quite sharp.” With the help of a machine classifier, and the fact that any one client will build its circuits through a fixed set of entry guards, the study suggested that such an adversary “can focus only on circuits built through these specific nodes and quite efficiently determine if two circuits belong to the same user.” There is no suggestion that this knowledge alone poses a serious deanonymization risk to clients; however, wrote Otto, “our goal was not to ultimately break the anonymity of any real user but instead to expose a previously unknown threat so that it can be mitigated before anyone actually devises an attack around it.” Steven Murdoch published a paper [4] on the optimization of Tor’s node selection probabilities showing, in Steven’s words [5], “that what Tor used to do (distributing traffic to nodes in proportion to their contribution to network capacity) is not the best approach.” Prior to publication of the study, “Tor moved to actively measuring the network performance and manipulating the consensus weights in response to changes. This seems to have ended up with roughly the same outcome. […] However, the disadvantage is that it can only react slowly to changes in network characteristics.” Sebastian Urbach shared [6] a link to “Defending Tor from Network Adversaries: A Case Study of Network Path Prediction” [7], in which the researchers analyze the effect of network features like autonomous systems [8] and Internet exchanges [9] on the security of Tor’s path selection, finding that “AS and IX path prediction significantly overestimates the threat of vulnerability to such adversaries”, and that “the use of active path measurement, rather than AS path models” would be preferable “in further study of Tor vulnerability to AS- and IX-level adversaries and development of practical defenses.” Meanwhile, Philipp Winter took to the Tor blog [10] to summarize some new findings concerning the the way in which the Chinese state Internet censorship system (the “Great Firewall of China”) acts upon blocked connections, like those trying to reach Tor, as detailed in a recent project [11] to which he contributed. Searching for spatial and temporal patterns in Chinese censorship activity, the researchers found that “many IP addresses inside the China Education and Research Network (CERNET) are able to connect” to Tor in certain instances, while the filtering of other networks — centrally conducted at the level of Internet exchanges — “seems to be quite effective despite occasional country-wide downtimes”. Each of these studies is up for discussion on the tor-dev mailing list [12], so feel free to join in there with questions and comments for the researchers! [1]: https://shadow.github.io/ [2]: http://www0.cs.ucl.ac.uk/staff/G.Danezis/students/Huhta14-UCL-Msc.pdf [3]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007517.html [4]: http://www.cl.cam.ac.uk/~sjm217/papers/#pub-el14optimising [5]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007601.html [6]: https://lists.torproject.org/pipermail/tor-relays/2014-October/005434.html [7]: http://arxiv.org/pdf/1410.1823v1.pdf [8]: https://en.wikipedia.org/wiki/Autonomous_System_%28Internet%29 [9]: https://en.wikipedia.org/wiki/Internet_exchange_point [10]: https://blog.torproject.org/blog/closer-look-great-firewall-china [11]: http://www.cs.unm.edu/~royaen/gfw/ [12]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev Miscellaneous news -- Michael Rogers submitted [13] patches against tor and jtorctl, making two improvements to the performance of mobile hidden services: one “avoids a problem where we'd try to build
Re: [tor-talk] New SSLv3 attack: Turn off SSLv3 in your TorBrowser
Someone somewhere (I think Mike Perry quoting AGL) mentioned today that we'd only be breaking 0.3% of the internet if we do this. My fact checker 9000 looked into this[1]. the 0.3% is probably close but here are a few stats per Zmap and Alexa - of the top 1 Million domains, 0.02% have SSLv3 as their highest version (verified domains) - of the entire ipv4 space, 2.8% use SSLv3 as their highest version (unverified certificates) [1]. https://zmap.io/sslv3/ @ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reasoning behind 10 minute circuit switch?
Thanks for the detailed reply! On 10/14/14, 5:10 PM, Roger Dingledine wrote: On Tue, Oct 14, 2014 at 12:17:27PM -0400, Greg Norcie wrote: I'm working on doing a study on user tolerance of delays (for example, latency on Tor). During our discussion, a bit of a debate occured about the TBB's circuit switching. I was wondering if there's any research that's been done to arrive at the 10 minute window for circuit switching, or if that was number picked arbitrarily? It was alas picked arbitrarily. As Nick notes, it used to be 30 seconds, and then when we started getting users, all the relays complained of running at 100% cpu handling circuit handshakes. We changed it to 10 minutes, and the complaints went away -- at least until the botnet showed up. We've had an open research question listed for years now -- see bullet point 4 on https://research.torproject.org/ideas.html Right now Tor clients are willing to reuse a given circuit for ten minutes after it's first used. The goal is to avoid loading down the network with too many circuit creations, yet to also avoid having clients use the same circuit for so long that the exit node can build a useful pseudonymous profile of them. Alas, ten minutes is probably way too long, especially if connections from multiple protocols (e.g. IM and web browsing) are put on the same circuit. If we keep fixed the overall number of circuit extends that the network needs to do, are there more efficient and/or safer ways for clients to allocate streams to circuits, or for clients to build preemptive circuits? Perhaps this research item needs to start with gathering some traces of what requests typical clients try to launch, so you have something realistic to try to optimize. Also note that if a stream request times out (or for certain similar failures), you move to a new circuit earlier than the 10 minute period. So it might be that users actively browsing will switch much more often than every 10 minutes. Somebody should study what happens in practice. The future plan is to isolate streams by domain, not by time interval: https://trac.torproject.org/projects/tor/ticket/5752 But of course there are some tricky engineering and security considerations there. And lastly, see https://trac.torproject.org/projects/tor/ticket/5830 for a standalone related analysis/research project that I wish somebody would do. :) --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Social Research on TOR in Turkey during March2014
On Mon, 13 Oct 2014 23:43:47 +0300 Gökşin Akdeniz gok...@goksinakdeniz.net wrote: Run: gpg --search-key Paolo Cardullo and import the key. Please use OpenPGP and GnuPG properly He is using OpenPGP and GnuPG properly, but I believe you miss some important fact about it. The original author did not give the key details nor he did put his key id (before you added to your keyring). Somebody reading this list could have created a key pair, and uploaded to keyserver. Now you might have malicious key, which you will use to encrypt your emails, and somebody having an access to that e-mail address (via ISP or AOL) could read your email. Do not blindly add keys just by searching the name. Wait for the original author to at least verify using e-mail, or his web address. Of course, there would be no guarantee for e-mail to be changed during the transport. But it is a little unlikely to both change e-mail and key on the web server. It depends on your threat model. I hope I made my point. Regards, Grace H. -- D8C9 EF71 ADC3 0533 29DE 3A80 1152 D1CB 8D9C 47FD signature.asc Description: PGP signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Social Research on TOR in Turkey during March2014
Do not blindly add keys just by searching the name. Wait for the original author to at least verify using e-mail, or his web address. Even better would be to use the Web of Trust, but I don't think I've ever actually seen someone do that... too few people going to keysigning parties I guess. Thank you, Derric Atzrott -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New SSLv3 attack: Turn off SSLv3 in your TorBrowser
AntiTree transcribed 0.6K bytes: Someone somewhere (I think Mike Perry quoting AGL) mentioned today that we'd only be breaking 0.3% of the internet if we do this. My fact checker 9000 looked into this[1]. the 0.3% is probably close but here are a few stats per Zmap and Alexa - of the top 1 Million domains, 0.02% have SSLv3 as their highest version (verified domains) - of the entire ipv4 space, 2.8% use SSLv3 as their highest version (unverified certificates) [1]. https://zmap.io/sslv3/ Neat. Those stats on SSL/TLS deployment are interesting... thanks! :) -- ♥Ⓐ isis agora lovecruft _ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Weekly News — October 15th, 2014
For general principle, I always thought it was a little strange that Tor changed circuits every 10 minutes. That it was too predictable, like a patrol car driving by the bank exactly at the beginning of the hour. Never deviating. There may not be any current, known exploits of this in Tor, but many things in Tor are built around randomness - for a specific reason. On the other hand, what about destination sites that have only a few active Tor users at a given time. Of course, their 10 minute circuits wouldn't have all begun at the same time. But of the Tor users on that site, if only one users circuits change at a specific time continue to do so every 10 minutes, does that make them harder or easier to pick out of that specific crowd? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Social Research on TOR in Turkey during March2014
On 10/15/2014 12:39 PM, Derric Atzrott wrote: Do not blindly add keys just by searching the name. Wait for the original author to at least verify using e-mail, or his web address. Even better would be to use the Web of Trust, but I don't think I've ever actually seen someone do that... too few people going to keysigning parties I guess. Thank you, Derric Atzrott Web of Trust is problematic for those who chose pseudonymity. Over the years, I've come to trust several pseudonyms based on interactions via discussion forums and email, signed documents and software, apparent integrity, and so on. Nobody except me knows mirimir's true name, but everyone can judge me by what I've said and done. Purists want DNA swaps these days, I guess ;) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Social Research on TOR in Turkey during March2014
On Wed, Oct 15, 2014 at 06:15:37PM -0600, Mirimir wrote: Web of Trust is problematic for those who chose pseudonymity. Over the years, I've come to trust several pseudonyms based on interactions via discussion forums and email, signed documents and software, apparent integrity, and so on. Nobody except me knows mirimir's true name, but everyone can judge me by what I've said and done. Purists want DNA swaps these days, I guess ;) Not sure why a web of trust approach should be considered incompatible with grounding trust in a pseudonym or what you mean by true name (some sort of Vinge reference?), but in any case that's the best Freudian typo of the day. aloha, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Social Research on TOR in Turkey during March2014
On 10/15/2014 08:57 PM, Paul Syverson wrote: On Wed, Oct 15, 2014 at 06:15:37PM -0600, Mirimir wrote: Web of Trust is problematic for those who chose pseudonymity. Over the years, I've come to trust several pseudonyms based on interactions via discussion forums and email, signed documents and software, apparent integrity, and so on. Nobody except me knows mirimir's true name, but everyone can judge me by what I've said and done. Purists want DNA swaps these days, I guess ;) Well, I meant swabs, but swaps also works (not sexual, data). Not sure why a web of trust approach should be considered incompatible with grounding trust in a pseudonym or what you mean by true name (some sort of Vinge reference?), but in any case that's the best Freudian typo of the day. Yes, _True Names_ is an all-time favorite. By true name, I mean the name on my various government-issued IDs. That name is associated with my fingerprints and photo, and perhaps even with DNA sequence data. It's encouraging that you don't consider WOT and pseudonyms necessarily incompatible. But then, you helped invent Tor. Some do argue that WOT means little without reliable identification, verified face-to-face. aloha, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Social Research on TOR in Turkey during March2014
On Wed, Oct 15, 2014 at 09:26:59PM -0600, Mirimir wrote: On 10/15/2014 08:57 PM, Paul Syverson wrote: On Wed, Oct 15, 2014 at 06:15:37PM -0600, Mirimir wrote: Web of Trust is problematic for those who chose pseudonymity. Over the years, I've come to trust several pseudonyms based on interactions via discussion forums and email, signed documents and software, apparent integrity, and so on. Nobody except me knows mirimir's true name, but everyone can judge me by what I've said and done. Purists want DNA swaps these days, I guess ;) Well, I meant swabs, but swaps also works (not sexual, data). Ah I was reading DNA swaps in the sense of the Vincent and Jerome characters swapping identitities in Gattaca rather than the sense of swapping credentials to authenticate each other. Hence my amusement. Not sure why a web of trust approach should be considered incompatible with grounding trust in a pseudonym or what you mean by true name (some sort of Vinge reference?), but in any case that's the best Freudian typo of the day. Yes, _True Names_ is an all-time favorite. By true name, I mean the name on my various government-issued IDs. That name is associated with my fingerprints and photo, and perhaps even with DNA sequence data. It's encouraging that you don't consider WOT and pseudonyms necessarily incompatible. But then, you helped invent Tor. Some do argue that WOT means little without reliable identification, verified face-to-face. Depends what you're trying to reliably identify, and let's completely sidestep the criteria for reliable in the various popular authenticators you cited are. (I disagree with Quine on much, but I do accept his maxim, No entity without identity---although unlike Quine I would understand both of these stochastically.) Sorry, need sleep and am straying well into not-torritory. -Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Social Research on TOR in Turkey during March2014
On 10/15/2014 09:52 PM, Paul Syverson wrote: On Wed, Oct 15, 2014 at 09:26:59PM -0600, Mirimir wrote: On 10/15/2014 08:57 PM, Paul Syverson wrote: On Wed, Oct 15, 2014 at 06:15:37PM -0600, Mirimir wrote: Web of Trust is problematic for those who chose pseudonymity. Over the years, I've come to trust several pseudonyms based on interactions via discussion forums and email, signed documents and software, apparent integrity, and so on. Nobody except me knows mirimir's true name, but everyone can judge me by what I've said and done. Purists want DNA swaps these days, I guess ;) Well, I meant swabs, but swaps also works (not sexual, data). Ah I was reading DNA swaps in the sense of the Vincent and Jerome characters swapping identitities in Gattaca rather than the sense of swapping credentials to authenticate each other. Hence my amusement. Got it. And yes, there's no assurance that biometrics can't be hacked. Not sure why a web of trust approach should be considered incompatible with grounding trust in a pseudonym or what you mean by true name (some sort of Vinge reference?), but in any case that's the best Freudian typo of the day. Yes, _True Names_ is an all-time favorite. By true name, I mean the name on my various government-issued IDs. That name is associated with my fingerprints and photo, and perhaps even with DNA sequence data. It's encouraging that you don't consider WOT and pseudonyms necessarily incompatible. But then, you helped invent Tor. Some do argue that WOT means little without reliable identification, verified face-to-face. Depends what you're trying to reliably identify, and let's completely sidestep the criteria for reliable in the various popular authenticators you cited are. (I disagree with Quine on much, but I do accept his maxim, No entity without identity---although unlike Quine I would understand both of these stochastically.) Sorry, need sleep and am straying well into not-torritory. -Paul I only know of Quine through Douglas Hofstadter's books. I'm reminded of the thought experiment in _I Am a Strange Loop_ where someone is precisely duplicated. Identical initially, they immediately diverge. In a world where that were possible, what would identity mean? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk