Re: [tor-talk] Tor and HTTPS graphic
Mike Perry wrote on 03/12/12 01:57 PM: > Thus spake coderman (coder...@gmail.com): > > > a lot of infrastructure to build; call it Tor 2.0: > > > > combine LEDBAT edge management[0] with SCTP multi-homed[1] > > endpoints over ORCHID overlay[2] provided by IPsec telescopes[3] > > with reliable multicast gradients[4] and stochastic fair queuing[5] > > and you've got something resistant to passive and active attacks, > > including traffic confirmation. > > Your ideas intrigue me and I wish to subscribe to your newsletter. Same here :) > Can you describe in a bit more detail (perhaps in a new thread) > how stitching together a Frankenstein's creation from this > collection of protocols would work, and how it would be deployed? To the extent that I understand, coderman seems to be proposing the layer-3 approach from Kiraly et al. (2008) with multi-homed endpoints and various traffic control mechanisms. That does seem interesting. Perhaps someone could comment about Tor's current development plans (or point me to documents)? Maybe I should just look ;) > And what about the edge vulnerability to these same tagging and/or > timing attacks? Data's gotta get into this mess somehow, and come > out again, right? This is the issue that's been nagging me. The utility of Tor (or coderman's vision, or even VPNs) is limited when access can be detected and blocked. Could something like Tor operate through covert channels (1,2)? Although only ~0.1% of total bandwidth would be usable, that might be enough with widespread streaming HD video. References 1) Murdoch and Lewis (2005) Embedding Covert Channels into TCP/IP http://www.cl.cam.ac.uk/~sjm217/papers/ih05coverttcp.pdf 2) Sellke et al. (2009) TCP/IP Timing Channels: Theory to Implementation http://www.stat.purdue.edu/~ssellke/publications/covertTC.pdf ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Mon, Mar 12, 2012 at 11:57 AM, Mike Perry wrote: > ... > Your ideas intrigue me and I wish to subscribe to your newsletter. my last comment for this sad, confused tangent of a thread; it has been accosted via conjecture with too much frequency *grin* SCTP for congestion control of transparent proxy TCP/UDP traffic. local classification of traffic allocates by protocol / use fairness instead of aggregate tcp fairness. like bittorrent or aria2 parallel traffic treated as distinct low priority unit of traffic, deferring to higher priority low latency web traffic and messaging. multi-homing / multi-path endpoints in SCTP would maintain concurrent connection with distinct endpoints, avoiding predecessor, timing, denial of service attacks present in reliable, ordered, single stream transports. edges would be screwed as you mention, unless they were full fledged participants consistently. using a UDP based transport with LEDBAT or other technique to keep broadband upstream unsaturated and unclogged (no deep queues), allowing all broadband endpoints the ability to contribute to a large shared network. ORCHID IPv6 addressing with IPsec tunnels is intended to re-use existing work, including well tested auth+privacy with datagram padding in IPsec. SCTP+TLS would fit over top of IPv6 ORCHID endpoints (using IPsec SAs) to transport signalling/keying and encapsulated client traffic. part of this would also include lowest priority (lossy reliable) SRMP type delivery of useful, less immediate information to nodes. to some extent the ORCHID addresses could be thought of as hidden service names and also circuit endpoints for a given IPsec tunnel. this set of: a. critical signalling and keying traffic b. high priority, interactive web traffic and messaging c. lower priority bulk traffic, downloads, streaming media d. best effort, latent bulk caching and exchange are the classful shaping groups ordered inside of opaque SFQ outbound queues at various improved/concurrent stratified dependent link padding paths of IPsec telescopes carrying intermediate hop(signalling) and bearer traffic. combining better prioritization of traffic and consistent consumption of traffic (deferring low priority packets and using opportunistic caching strategies for network information respectively) obtains the best performance out of the SFQ DLP paths with the lowest latency for priority traffic. still, so many details left as exercise for the reader ;) > Do free reference implementations exist for all of these protocols? sort of, for only parts; if you want a portable user space implementation (or port) it's all custom. the joys of wild conjecture include absurd timelines and technical effort for free... rump is about as close as i've seen: http://www.netbsd.org/docs/rump/index.html this is not the least of "how to deploy a thing like this" concerns. there is also no backward compatibility or slow transition from an existing Tor network to something using UDP encapsulated IPsec telescopes (even if TCP can be transparently proxied over SCTP over this). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
Thus spake coderman (coder...@gmail.com): > a lot of infrastructure to build; call it Tor 2.0: > > combine LEDBAT edge management[0] with SCTP multi-homed[1] endpoints > over ORCHID overlay[2] provided by IPsec telescopes[3] with reliable > multicast gradients[4] and stochastic fair queuing[5] and you've got > something resistant to passive and active attacks, including traffic > confirmation. Your ideas intrigue me and I wish to subscribe to your newsletter. Can you describe in a bit more detail (perhaps in a new thread) how stitching together a Frankenstein's creation from this collection of protocols would work, and how it would be deployed? And what about the edge vulnerability to these same tagging and/or timing attacks? Data's gotta get into this mess somehow, and come out again, right? > 0. http://tools.ietf.org/html/draft-ietf-ledbat-congestion-09 > 1. http://tools.ietf.org/html/rfc4960 > 2. http://tools.ietf.org/html/rfc4843 > 3. http://disi.unitn.it/locigno/preprints/TR-DISI-08-041.pdf > 4. http://tools.ietf.org/html/rfc4410 > 5. http://www2.rdrop.com/~paulmck/scalability/paper/sfq.2002.06.04.pdf Do free reference implementations exist for all of these protocols? -- Mike Perry signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Fri, Mar 9, 2012 at 9:55 PM, The23rd Raccoon wrote: > ... > If you want me to analyze active timing attacks using similar Bayesian > analysis, that might be a taller order. as amused as i am by our favorite dumpster diver, this does bring to mind the need for datagram transport with multiplexed paths and stochastic mixing. a lot of infrastructure to build; call it Tor 2.0: combine LEDBAT edge management[0] with SCTP multi-homed[1] endpoints over ORCHID overlay[2] provided by IPsec telescopes[3] with reliable multicast gradients[4] and stochastic fair queuing[5] and you've got something resistant to passive and active attacks, including traffic confirmation. build the meanest machine learning system and throw it at it, the pure theory a little unwieldy... have fun! 0. http://tools.ietf.org/html/draft-ietf-ledbat-congestion-09 1. http://tools.ietf.org/html/rfc4960 2. http://tools.ietf.org/html/rfc4843 3. http://disi.unitn.it/locigno/preprints/TR-DISI-08-041.pdf 4. http://tools.ietf.org/html/rfc4410 5. http://www2.rdrop.com/~paulmck/scalability/paper/sfq.2002.06.04.pdf ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Fri, Mar 9, 2012 at 8:52 PM, Paul Syverson wrote: > On Thu, Mar 08, 2012 at 06:41:25AM +, The23rd Raccoon wrote: >> has blinded the tor devs to a very serious type of active attack >> that actually will: the crypo-tagging attack. > > Nobody's blinded to the possibility. Many of us knew long ago that > several things like this are easy to do. I meant blinded to the severity. >> In 2009, the devs dismissed a version of the crypto-tagging attack >> presented by Xinwen Fu as being equivalent to correlation back when >> the "One Cell is Enough to Break Tor's Anonymity" attack came out[1]. > > As noted earlier in the post and in many other places, > it's trivial to put in active timing signatures if they are needed. Only if you have enough data to encode a time signature into. One cell is not very much data. You'll see why this matters in a few paragraphs. > So, to convince me that your analysis shows we should revisit tagging for Tor > you > would have to show three things: Your requirements don't seem to match the goal of revisiting tagging, so I bent them slightly. Your requirements seem instead to invite revisiting correlation entirely. But that's OK. I want to deal with tagging, too, so I'll deal with it first. It's along the way, as they say. As we'll see, tagging allows a type of amplification attack that can be *simulated* with a timing attack, but I'll argue it is simulated poorly. I have not yet provided full Bayesian analysis of the bounds of the accuracy of simulation, but I have written the dominating components, and I'll finish it if you like. If you want me to analyze active timing attacks using similar Bayesian analysis, that might be a taller order. I'd need to scavenge the local dumpster archives for a while to collect a representative sample of attacks and pour over how to interpret their (very likely misrepresented or at least embellished) results. If you could select your favorites, it might speed things along. Either way, just let me know. > (1) Convince me that a truly global adversary is realistically worth worrying > about Intuitively, tagging attacks create a "half-duplex global" adversary in places where there was no adversary before, because the non-colluding entrances and exits of the network start working for you. You get to automatically boost your attack resource utilization by causing any uncorrelated activity you see to immediately fail, so you don't even have to worry about it. This effect is by virtue of the tag being destructive to the circuit if the cell is not untagged, and also being destructive when a cell is "untagged" on a non-tagged circuit. In other words: in the EFFs graphic, tagging attacks create a second translucent NSA dude everywhere in the world *for free*. This translucent NSA dude is effectively closing circuits that the real NSA dude didn't want to go to there in the first place. He makes sure that your circuits only go through another NSA dude. So to answer your question: because of this "half-duplex global" property, the tagging attack actually does not require you to have to worry about a true global adversary to see it is worse than correlation (active or passive). Any amount of resources (global or local) that you devote to tagging automatically get amplified for free by the global translucent NSA dude. How well you are able to correlate afterword requires a secondary attack. Depending upon the nature of the tagging vulnerability you find, you might be able to encode an arbitrary bitstring to uniquely identify the user, eliminating the need for any subsequent correlation. In fact, I'm pretty sure this is possible. > (2) convince me that an adversary that does active timing correlation would > not > remain a significant threat even if tagging were no longer possible I'm going to bend the rules again and instead try to convince you that an attacker who tags can observe more compromised traffic than an active timing attacker who attempts to simulate his attack, making tagging qualify as an amplification attack in a separate class entirely. To simulate the same amplification attack with correlation (active or passive), you have to correlate every circuit at your first NSA dude to every other circuit at your second NSA dude, and kill the circuits that don't have a match on both sides. You also have the added challenge of doing the initial correlation with few enough cells to kill the circuit before any streams are attached (so users don't notice). The need for early detection rules out virtually all of the benefits of active timing attacks for this step, which require quite a lot of data to encode their fingerprints (especially when making them provably effective or practically invisible). Therefore, we are back to analysis dominated by passive correlation for the circuit killing step (the crux of the simulation). In order to kill the circuits that don't match, NSAdude1 has to ask NSAdude2 out of band if NSAdude2 has seen a mat
Re: [tor-talk] Tor and HTTPS graphic
On Thu, Mar 08, 2012 at 06:41:25AM +, The23rd Raccoon wrote: > On Thu, Mar 8, 2012 at 1:39 AM, Mansour Moufid > wrote: > > On Tue, Mar 6, 2012 at 11:55 PM, The23rd Raccoon > > wrote: > >> Now bear in mind that I'm just a Raccoon, but some time ago I scrawled > >> a proof out that showed that the correlation accuracy of a "dragnet > >> GPA" goes down in proportion to the square of the number of concurrent > >> users using an anonymization service: > >> http://archives.seul.org/or/dev/Sep-2008/msg00016.html > > > > Are we so sure there are no methods of correlation with zero false > > positive rate [P(C|~M) = 0]? > > For passive correlation attacks, I have not seen any in > dumpster-accessible research literature. > > For active attacks, there are varying classes that can achieve 0 > error. In general, 0-error success depends upon how much information > you are able to encode into the stream, how quickly you are able to do > it, and how reliably you are able to extract it. > > In fact, I think the research community's insistence that passive > correlation can always succeed You misunderstand or at least misrepresent what is being argued here. There does not even have to be anything incompatible in what you are saying and this "insistence" as you put it. The difference lies entirely in the threat model. So we need to get more precise about that (below). > has blinded the tor devs to a very serious type of active attack > that actually will: the crypo-tagging attack. > Nobody's blinded to the possibility. Many of us knew long ago that several things like this are easy to do. It's even easier to just do bitsquashing, as we noted in the first onion routing paper in 1996 (there are tradeoffs and may be times when other tagging attacks are preferable, that's not the point). As a more directly connected indicator of prior awareness, Mixminion was designed by some of the main research people who also worked on Tor, specifically Roger and Nick together with George Danezis. They spent a significant part of the research paper that sets out the design talking about tagging attacks and their countermeasures to them. We're all well aware of many tagging variants here. What we're saying about them is that (1) identifying another specific example of tagging attack without other significant contribution is not a publishable research contribution and (2) designing in countermeasures against such attacks (such as the Mixminion paper and some of the subsequent formatting work in that vein did) are not worth it because it's so easy to attack Tor whether it's made resistant to this kind of tagging or not. (I know you don't agree with that---yet. I'm coming to that.) > The crypto-tagging attack performs an operation on a cell at the entry > to the network that will cause an error upon exit of the network, > *unless* a party at the exit of the network is able to undo it. It > ensures a node will only carry compromised traffic. > > In 2009, the devs dismissed a version of the crypto-tagging attack > presented by Xinwen Fu as being equivalent to correlation back when > the "One Cell is Enough to Break Tor's Anonymity" attack came out[1]. > Nobody said they were equivalent. What is actually said in [1] is "One of the unknowns in the research world is exactly how quickly the timing attack succeeds. How many seconds of traffic (and/or packets) do you need to achieve a certain level of confidence? I'll grant that if you run the entry and exit, tagging is a very simple attack to carry out both conceptually and in practice. But I think Fu underestimates how simple the timing attack can be also. That's probably the fundamental disagreement here." And in that passage, they're only talking about the passive timing attack. As noted earlier in the post and in many other places, it's trivial to put in active timing signatures if they are needed. > They dismissed Fu's comments about false positives by quoting > researchers claiming that a false positive rate of 0.0006 "is just a > nonissue". But if you do the math in my Example 1, a 0.0006 false > positive rate is more than enough to prevent dragnet analysis of a > heavily used network. > Actually, the post notes that this was the maximum false positive rate achieved in the cited simulation. In the analysis on the live Tor network also cited, there were zero false positives in thousand of runs of the experiment (not thousands of circuits, there were also thousands of circuits in each run of the experiment). Nonetheless, you are right to ask about scale and base rate, but I don't think they undermine the effective adequacy of timing attacks in ways that ultimately matter. > In [1], the devs offered to work towards fixing the issue if someone > could show that it was indeed worse than passive correlation. I > believe I have done so. Is there anything that can be done? I'm not > sure at the moment. Probably a conversation for another thread. Again
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 06, 2012 at 11:14:39PM -0500, Paul Syverson wrote: > On Tue, Mar 06, 2012 at 08:15:58PM -0500, Mansour Moufid wrote: > > On Tue, Mar 6, 2012 at 4:04 PM, Paul Syverson > > wrote: > > > I'm a mere four years behind in putting my work up on the web, and > > > this one wasn't co-authored so nobody else did either. I'll try to do > > > something about that in my copious free time this week and send a > > > link. > > > > Please do, this attack you mention is one I've been very interested > > in. I'm sure many others would also love to read more about it. > > > I'll try to get to it soon. And there was a star in the east... I actually updated my webpage, not as fully as I would like, but I updated all the dead links and added about a dozen or so papers. In particular there is now a link to the "Why I'm not an Entropist" paper, the "Practical Vulnerabilities of the Tor Anonymity Network" paper that Andrew asked me to post over a year ago, my recent historical review "A Peel of Onion", etc. HTH. -Paul ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 6, 2012, at 04:20 PM, Seth David Schoen wrote: > and...@torproject.is writes: > > > The GPA is in every paper on the topic. But only Seth has the real > > answer. > > I was concerned that the graphic should not make people think that > _no one_ can ever associate them with their browsing when they use > Tor. I've been taught to think of the GPA threat (and other traffic > correlation threats) as real, so I thought people should have some > indication of those threats. Why do you assume that the NSA can break Tor but not HTTPS? As I see it, if you extrapolate the timing attack literature to justify ignoring fixing active attacks, why do you not extrapolate the work on RSA key cracking to assume that the NSA can factor popular website keys in bathtubs full of DNA? Or, at the very least, why not extrapolate it to the NSA compromising one of the 1000-some wildcard root certificates your own SSL Observatory scan has detected? This paywall (ie non-"dumpster available") abstract appears to indicate that the research community is within striking distance of factoring an RSA keys in use by many HTTPS servers today. At least, when compared to how close timing attack research is to breaking Tor. http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1435370 I guess I'm just wondering: where do we draw the line? In addition to the decentralized HTTPS certificate observatory, one could imagine a network verifying the DH parameters are the same when received by two endpoints of an HTTPS session. If perfect forward secrecy is universally deployed, a bathtub full of DNA or server compromise that yielded an RSA private key for google.com could be used transparently to escape your decentralized observatory scan, but a DH-recording scanning network will still see different DH parameters at the endpoints. But how do deploy such a network? Is planetlab up to the task? Is anyone studying endpoint consensus on DH parameters? Shouldn't they be? It seems like our rabbit hole is very deep. Do we really have what it takes to watch the watchers? I fucking hope so, but it does seem that consensus reality wrt cryptographic security is hard to establish. -- http://www.fastmail.fm - Access all of your messages and folders wherever you are ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Wed, Mar 7, 2012 at 9:54 PM, Mike Perry wrote: > You know, in hindsight, I don't want to sound like I'm hating on Steven > or his work. His work was quite clear along all of the dimensions I am > talking about, and was excellent research. > > He in fact did even compare 500 flows/hour to 50 flows/hour and found > that the success rate did drastically improve, implicitly acknowledging > and measuring the relationship between event rate and accuracy. Yes. Murdoch's work was quite informative, one of the more palatable dumpster morsels I've happened across. If you draw a line straight down figure 5(a) of [1] at 10k packets, you actually can see the effect of the base rate fallacy right there. As his concurrent flow count increases, the P(M|C) (which he calls P(correct target)) rate drops rather quickly. I bet if you got the actual P(C|M) values and adjusted the units appropriately, you'd find a 1/M^2 in there. George Danezis claimed in [2] that the best-match decision process of modern classifiers eliminates the quadratic 1/M^2 drop-off, but I don't believe that to be the case. I think that experimentally you'll find that your best-match classifier performs worse when you throw more items at it, just as Murdoch did. This effect is also seen in authorship classification work. The more authors you try to correlate, the worse off your rankings are. In fact, the last time I checked, state of the art text classification currently breaks down at around just 100 authors, using a best-match classifier. [1]. http://www.cl.cam.ac.uk/~sjm217/papers/pet07ixanalysis.pdf [2]. https://conspicuouschatter.wordpress.com/2008/09/30/the-base-rate-fallacy-and-the-traffic-analysis-of-tor/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
> Thanks to Mark Klein, we know that the NSA wiretaps in the US are > passive in nature, not active. We know that *back then* *one* of their possible tap systems was passive. All thanks due of course. > But who knows what they do [...] ... today, to whoever. > I don't think The Man can correlate millions of simultaneous web > page views and expect to have certainty over who is viewing what > at all times. At some point, you simply run out of differentiating > bits to extract from size and timing information to properly > segment the userbase. It's now possible to do well timed rx/tx at 10Gb line rate on a single commodity system (FreeBSD, Linux)... http://www.ntop.org/products/nprobe/ http://info.iet.unipi.it/~luigi/netmap/ http://www.ntop.org/products/pf_ring/ http://www.ntop.org/blog/ http://en.wikipedia.org/wiki/Precision_Time_Protocol ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
> I think that it is important to differentiate national security > and law enforcement here. Yes. They are two separate camps. Who now more regularly talk with each other to varying degrees, both in the office, and in the pub. It's likely only a legal question as to what tools either may use. Then saying, 'hey, we have this program', seems not a big deal. > yet FBI is apparently unable to locate members of pedophile > networks who use Tor Based on 4+ year old methods up against a first time case. What were the lessons learned? What gaps are being filled? > National security agencies, on the other hand, have to think about > the "big picture", and would not put their methods of work in > danger of disclosure Of course. That's why I put out possible examples that would only utilize publicly known methods. There are no secrets in anonbib. > or indulge in otherwise risky behavior (routing tricks and the > like, which can be discovered by regular employees). Secret projects have secret nets with secret admins... http://en.wikipedia.org/wiki/Joint_Worldwide_Intelligence_Communications_System I'm not really suggesting that any such global or national all seeing system is in place. Only that given budgets and current tech, the odds are surely not zero on some of the scenarios. Particularly concerning results available even with limited visibility. Such as running both a HS and an entry node that a user happens to use. Or running enough nodes that having an interesting circuit transit all three/six is less than a rare occurance. Scaling Note: If the network needs to scale, such as keeping nodes very busy but not saturated, non-exit relay by default (NE-RBD) could be metered out by way of a client self enabling it (or whatever other scale factor) based on the client's/relay's own fingerprint. Whether driven by release or net consensus: 0-9a-g = on, h-z = off ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Thu, Mar 8, 2012 at 1:39 AM, Mansour Moufid wrote: > On Tue, Mar 6, 2012 at 11:55 PM, The23rd Raccoon > wrote: >> Now bear in mind that I'm just a Raccoon, but some time ago I scrawled >> a proof out that showed that the correlation accuracy of a "dragnet >> GPA" goes down in proportion to the square of the number of concurrent >> users using an anonymization service: >> http://archives.seul.org/or/dev/Sep-2008/msg00016.html > > Are we so sure there are no methods of correlation with zero false > positive rate [P(C|~M) = 0]? For passive correlation attacks, I have not seen any in dumpster-accessible research literature. For active attacks, there are varying classes that can achieve 0 error. In general, 0-error success depends upon how much information you are able to encode into the stream, how quickly you are able to do it, and how reliably you are able to extract it. In fact, I think the research community's insistence that passive correlation can always succeed has blinded the tor devs to a very serious type of active attack that actually will: the crypo-tagging attack. The crypto-tagging attack performs an operation on a cell at the entry to the network that will cause an error upon exit of the network, *unless* a party at the exit of the network is able to undo it. It ensures a node will only carry compromised traffic. In 2009, the devs dismissed a version of the crypto-tagging attack presented by Xinwen Fu as being equivalent to correlation back when the "One Cell is Enough to Break Tor's Anonymity" attack came out[1]. They dismissed Fu's comments about false positives by quoting researchers claiming that a false positive rate of 0.0006 "is just a nonissue". But if you do the math in my Example 1, a 0.0006 false positive rate is more than enough to prevent dragnet analysis of a heavily used network. In [1], the devs offered to work towards fixing the issue if someone could show that it was indeed worse than passive correlation. I believe I have done so. Is there anything that can be done? I'm not sure at the moment. Probably a conversation for another thread. [1]. https://blog.torproject.org/blog/one-cell-enough ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 6, 2012 at 11:55 PM, The23rd Raccoon wrote: > Now bear in mind that I'm just a Raccoon, but some time ago I scrawled > a proof out that showed that the correlation accuracy of a "dragnet > GPA" goes down in proportion to the square of the number of concurrent > users using an anonymization service: > http://archives.seul.org/or/dev/Sep-2008/msg00016.html Are we so sure there are no methods of correlation with zero false positive rate [P(C|~M) = 0]? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
Thus spake Seth David Schoen (sch...@eff.org): > Eva Galperin and I worked on this graphic (drawn by Hugh D'Andrade) > that tries to show the difference between the threats Tor addresses > and the threats HTTPS addresses. > > https://www.eff.org/deeplinks/2012/03/https-and-tor-working-together-protect-your-privacy-and-security-online > > The complete interactive version is at > > https://www.eff.org/pages/tor-and-https This is a really awesome graphic and instructional tool. I just wanted to point out a couple things that may or may not actually matter: 1. Technically, the NSA, site.com, site.com's ISP, and the subpoena trifecta all see that you're using Tor to connect to site.com. We don't try to hide this fact, but new users are often surprised and frustrated by it. Perhaps "Tor" should be added to their infoboxes? 2. In a slightly more detailed version of the graphic that we might want to create for training purposes, we could also add a "Bridge" button and an "Obfsproxy" button. The "Bridge" button would change "Tor" to "Tor?" at the Hacker and user's ISP and maybe the NSA. The "Obfsproxy" button would remove "Tor" from those points (due to protocol obfuscation). 3. I agree with the Raccoon that the NSA's data sharing link is most accurately described as "Uncertain". Maybe the fact that there's two of them with separate info already conveys that? Hard to say. -- Mike Perry signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Wed, Mar 7, 2012 at 20:57, grarpamp wrote: > Going with the USA idea: what if the FBI, in the > normal course of business, calls up all their local cable/dsl/fiber/cell > providers and has a few lines run to each office and outhouse > nationwide. I think that it is important to differentiate national security and law enforcement here. It is unlikely that agencies like the FBI and its worldwide counterparts can break Tor anonymity. For instance, public in USA is particularly hysterical about issues such as pedophilia, yet FBI is apparently unable to locate members of pedophile networks who use Tor — see http://dee.su/uploads/baal.html. National security agencies, on the other hand, have to think about the “big picture”, and would not put their methods of work in danger of disclosure by running software that they don't trust (Tor) in locations that they don't completely control (geographically variated commercial data centers), or indulge in otherwise risky behavior (routing tricks and the like, which can be discovered by regular employees). > There is this thread for starters: > http://archives.seul.org/or/talk/Jun-2009/msg00253.html Although I doubt that US agencies had anything to do with that relays number spike, it could be a simple attempt to aid opposition in Iran (i.e., not to introduce rogue nodes that leak information for later analysis). -- Maxim Kammerer Liberté Linux (discussion / support: http://dee.su/liberte-contribute) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
Thus spake Mike Perry (mikepe...@torproject.org): > > But passive correlation is adequate anyway, even at very low sampling > > rates (cf. Murdoch and Zielinski, PETS 2007). This is long known and > > well understood. It's why we have always said that onion routing > > resists traffic analysis not traffic confirmation. > > I have to agree with the Raccoon here. I actually don't think Murdoch's > work demonstrated that sampling adversaries can adequately correlate > web-sized traffic. > > It seems pretty clear to me that the typical sampling rate of 1/2048 did > not become effective until you were around O(100MB) in transfer. He > wrote that 1/500 became effective at around O(1MB) in transfer, but that > is still a bit above most web page sizes. > > There is also the question of an extremely low concurrent flow count > compared to reality today. He used only 500 flows/hour to correlate, > where as at any given *second* O(10k) TCP connections are opened through > every gbit Tor node in operation today. He also used an artificial prior > distribution on connection sizes. Both of these properties alter the > event rate and thus the overall accuracy in the experimental results as > compared to reality. You know, in hindsight, I don't want to sound like I'm hating on Steven or his work. His work was quite clear along all of the dimensions I am talking about, and was excellent research. He in fact did even compare 500 flows/hour to 50 flows/hour and found that the success rate did drastically improve, implicitly acknowledging and measuring the relationship between event rate and accuracy. I just think that web traffic on the Tor network today is *waay* outside the bounds of where you can take his attack and say with any certainty it would work, both in terms of traffic quantity (much smaller than his success range) and flows per hour (much larger than his success range). And I think the same applies to general correlation, especially in the face of things like Tor-obfuscated-as-http. Your event rate at the first NSA guy in the graphic goes wy up then, too. Of course, there will likely have to be a long arms race with the censors before that actually happens. -- Mike Perry signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
Thus spake Paul Syverson (syver...@itd.nrl.navy.mil): > > It's time the myth of the GPA was challenged. I don't think active > > correlation attacks can be defended against, but I think they can at > > least be detected. > > Actually there are many papers over the last several years (e.g., at > ACM CCS and Info Hiding) showing that one can place undetectable > timing channels on flows (for some schemes provably undetectable for > others practically undetectable). Thanks to Mark Klein, we know that the NSA wiretaps in the US are passive in nature, not active. But who knows what they do to overseas links and specific high-value targets... > But passive correlation is adequate anyway, even at very low sampling > rates (cf. Murdoch and Zielinski, PETS 2007). This is long known and > well understood. It's why we have always said that onion routing > resists traffic analysis not traffic confirmation. I have to agree with the Raccoon here. I actually don't think Murdoch's work demonstrated that sampling adversaries can adequately correlate web-sized traffic. It seems pretty clear to me that the typical sampling rate of 1/2048 did not become effective until you were around O(100MB) in transfer. He wrote that 1/500 became effective at around O(1MB) in transfer, but that is still a bit above most web page sizes. There is also the question of an extremely low concurrent flow count compared to reality today. He used only 500 flows/hour to correlate, where as at any given *second* O(10k) TCP connections are opened through every gbit Tor node in operation today. He also used an artificial prior distribution on connection sizes. Both of these properties alter the event rate and thus the overall accuracy in the experimental results as compared to reality. I think we can agree that large video uploaders stick out like sore thumbs (due to relative lack of upload traffic frequency), but I don't think The Man can correlate millions of simultaneous web page views and expect to have certainty over who is viewing what at all times. At some point, you simply run out of differentiating bits to extract from size and timing information to properly segment the userbase. And as far as I know, no one has really considered the full impact of userbase size on correlation in the research community (aside from the Raccoon). -- Mike Perry signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
> The nodes must reside in commercial data centers Subject only to Tor's defenses, such as CIDR block restrictions, a node is a node. Going with the USA idea: what if the FBI, in the normal course of business, calls up all their local cable/dsl/fiber/cell providers and has a few lines run to each office and outhouse nationwide. Not enough nodes? Maybe they offer their workers free internet access and give them a secure little 'router'. Or use routing and vpn tricks to buy/borrow enough CIDR safe node IP's from whoever and route them all back to a node farm for easier management. > the resulting possibility of discovering the interception framework > employed Only the node list needs to be classified against FOIA to prevent blockage. Once the tech is figured out to the point that product is producible, the remaining thing is what can be legally done with it all. Warrantless and dragnet tap projects are holding up pretty well so far, right? Certainly targeted actions are no problem. > run untrusted software (including necessarily modified Tor clients), > all of which exposes them to hacking risks No news of Tor daemons being cracked to date, right? Isn't Tor full of nodes running all sorts of untrusted software under less than perfect admin skills? It's pretty unlikely that 'chat room' busts use Common Criteria systems either. > But one could try correlating Tor relays and Tor clients growth > graphs since, say, 2000 - if at some point there was a sharp > growth in USA-located relays without a corresponding growth in > total clients, and if those relays have similar bandwidth / data > center quality capabilities, then that could be "The Man". There is this thread for starters: http://archives.seul.org/or/talk/Jun-2009/msg00253.html I would also look to make sure the timing to a node makes sense with its presumed geolocation. It should never be shorter than possible, nor really much longer either. Perhaps the threat is unlikely, but not impossible. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Wed, Mar 7, 2012 at 06:30, grarpamp wrote: > Setting aside the taps, what if half the 3000 nodes are 'The Man'? I think that's quite unlikely. The nodes must reside in commercial data centers and run untrusted software (including necessarily modified Tor clients), all of which exposes them to hacking risks and to the resulting possibility of discovering the interception framework employed (which is probably not unique to Tor, so that's a huge risk). But one could try correlating Tor relays and Tor clients growth graphs since, say, 2000 — if at some point there was a sharp growth in USA-located relays without a corresponding growth in total clients, and if those relays have similar bandwidth / data center quality capabilities, then that could be "The Man". -- Maxim Kammerer Liberté Linux (discussion / support: http://dee.su/liberte-contribute) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Wed, Mar 7, 2012 at 12:20 AM, Seth David Schoen wrote: > and...@torproject.is writes: > > I was concerned that the graphic should not make people think that > _no one_ can ever associate them with their browsing when they use > Tor. I've been taught to think of the GPA threat (and other traffic > correlation threats) as real, so I thought people should have some > indication of those threats. Now bear in mind that I'm just a Raccoon, but some time ago I scrawled a proof out that showed that the correlation accuracy of a "dragnet GPA" goes down in proportion to the square of the number of concurrent users using an anonymization service: http://archives.seul.org/or/dev/Sep-2008/msg00016.html The belief that you can test a correlation system independent of a population size is called the Base Rate Fallacy, and I believe much of the PETS timing attack literature suffers from it. In that post I demonstrated the effect the Fallacy has on dragnet correlation. I also gave some example calculations for how accuracy changes from different points of network surveillance with respect to population size and correlation accuracy. With end-to-end encryption and proper Tor cell size choice, the NSAs odds of watching everyone all the time (Example 1 in my post) and getting the correlation right are low and do clearly drop as more people use Tor. Therefore, I think the most accurate representation would be to put a question mark next to the data link between the two NSA dudes in your graphic, because they aren't exactly sharing perfectly; they are consulting each other, correlating observed traffic patterns with some error rate, and rolling the dice. A question mark captures this well. Putting "Capabilities Uncertain" underneath the question mark or as a footnote might be even better, if we already have newspaper articles citing the graphic as proof Tor is broken... P.S. To the list administrators, it looks like the new archives have truncated my proof at the new archive: https://lists.torproject.org/pipermail/tor-dev/2008-September/002493.html ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 06, 2012 at 08:15:58PM -0500, Mansour Moufid wrote: > On Tue, Mar 6, 2012 at 4:04 PM, Paul Syverson > wrote: > > I'm a mere four years behind in putting my work up on the web, and > > this one wasn't co-authored so nobody else did either. I'll try to do > > something about that in my copious free time this week and send a > > link. > > Please do, this attack you mention is one I've been very interested > in. I'm sure many others would also love to read more about it. > I'll try to get to it soon. > It's time the myth of the GPA was challenged. I don't think active > correlation attacks can be defended against, but I think they can at > least be detected. Actually there are many papers over the last several years (e.g., at ACM CCS and Info Hiding) showing that one can place undetectable timing channels on flows (for some schemes provably undetectable for others practically undetectable). But passive correlation is adequate anyway, even at very low sampling rates (cf. Murdoch and Zielinski, PETS 2007). This is long known and well understood. It's why we have always said that onion routing resists traffic analysis not traffic confirmation. -Paul ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
Nice graphic :) Some small details not worth including... site.com under HTTPS really means site-IP to various observers between user and webserver. site-IP may or may not mean site.com in the presence of virtual hosting schemes. At the exit and beyond, knowing a site user is using Tor could be presumed by use of the known exit IP. Relay 2 doesn't know any named user is using Tor. Relay 3 doesn't know any named user is using Tor, when under HTTPS. The GPA's typically reside in the unshown tier-n internet cloud. The nodes reside in the mini red ISP bubbles, linked into the cloud. > GPA - myth vs. reality As to doubts about the current possible state of affairs... Wait a sec! So an academic can borrow their departmental compute cluster and prove GPA is workable. Yet massive TLA's with say $50 billion budgets can't move to spend a few million to patch together a global array of hosts, in their already existing racks, on their already existing taps, over which they know juicy info flows and 'social' network graphs exist? And for which people who like 'doing good for their country/business/people' would die to geek out on the $50-$100k salary, fun and access they might pay to do it. Come on, get real. Other investments surely pay off with more frequency and plaintext. But even as a testbed, and with limited or targeted global visibility, production research seems doable and maybe even profitable. Regardless of whether it could be easily/directly used in civilian matters. Global logistics is already done. For example, every bank, shipping service, airline, manufacturer, etc... has a network node in every one of its locations. A GPA is nothing special in that regard. Maintaining the secrecy of it all might be the hardest problem to scaling up beyond either a specific target, or the occaisional matchup as circuits transit a number of domestic taps/nodes. Whether or not GPA is deployed, everyone knows whitepapars, taps, interest, shell companies and bankroll and vans, and flat out cooperation exist. Setting aside the taps, what if half the 3000 nodes are 'The Man'? At $35/mo a year of them is $630k. What's the budget of your adversary and its friends again? 'non-exit relay by default' might be a good way to drive their odds down and costs up on that a bit. I don't know. Taps or nodes, if such an adversary might have an interest in you, I wouldn't wait for the canary before donning your mask. > At PETS in 2009[0], Paul did a talk on 'why I'm not an entropist' > and suggested that people need to start working on defeating a > mythical global passive adversary. > Yes, I meant stop. When skynet achieves consciousness, the analysis > of traffic on the Internet will be the least of our problems. There may not be anything to do about it, now or then. But without at least some part of the greater community always thinking about solutions, there never will be. One solution may involve somehow furthering the cause of distributed private mesh networks. GPA is possible because of collusion with large single entity backbones and or knowing where to tap profitably and or secretly. Moving the global model from hierarchical space, to distributed mesh space would make that harder. When facebook parks its cluster on Joe's well connected 'better than commercial ISP' wifi, the cause has succeeded :) (Note that a mesh need not be wifi, neighbors to neighbors with cable scraps works as well.) Not happening anytime soon though, not before the whole 'thou shalt not run vs. freedom of speech vs. wiretap vs. data retention' thing settles. > It is true that Tor is weak against a global passive adversary, > but there's no reason, from my point of view, to include that in > material geared towards non-PET researchers. As Tor is being used by those who are either friends or enemies with their GPA of choice, having it on the chart seems ok food for thought. > I'm a mere four years behind in putting my work up on the web, > I'll try to do something about that in my copious free time this > week and send a link. > [0] http://petsymposium.org/2009/program.php Someone will read it. Being behind happens, no worries :) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 6, 2012 at 7:27 PM, Ted Smith wrote: > On Tue, 2012-03-06 at 16:20 -0800, Seth David Schoen wrote: >> I was concerned that the graphic should not make people think that >> _no one_ can ever associate them with their browsing when they use >> Tor. I've been taught to think of the GPA threat (and other traffic >> correlation threats) as real, so I thought people should have some >> indication of those threats. > > Is it unfair to say that, properly used and in the context given in the > graphic (using HTTP(S) websites), there is no known adversary that can > associate them with their browsing? I'm not a full-time PET researcher, > but smarter people than myself in this thread seem to think the GPA is > more of a myth than a reality. IMHO, the GPA a myth in the sense that some attacks attributed to a GPA don't actually require it to be `global'. (Most Internet traffic eventually passes through a few, very specific points, for example.) But the attacks attributed to them are certainly not myths. I think Paul Syverson explained it best above. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Wed, Mar 7, 2012 at 02:27, Ted Smith wrote: > I'm not a full-time PET researcher, but smarter people than myself in this > thread seem to think the GPA is > more of a myth than a reality. Using https://metrics.torproject.org/csv/relaycountries.csv: $ grep 2012-03-05 relaycountries.csv | cut -d, -f2-3 | tr , ' ' | sort -rn -k 2 | grep -v ' [0-9]$' | pr -t4 us 778it 42 dk 24 ro 15 de 507at 40 no 21 il 15 fr 170cz 38 lt 21 ar 12 ru 169pl 33 sc 20 br 11 nl 166fi 33 lu 20 sk 10 zz 138ch 33 es 17 nz 10 se 111au 29 hu 16 gr 10 gb 107ua 28 be 16 bg 10 ca 80 jp 24 >From a cursory glance, all countries on the list (assuming that "zz" is satellite or unclassified, and with the exception of Russia) are NATO countries or similar, sharing electronic intelligence with the USA. Russia is a potential war adversary, so its communications interception is high-priority for the USA as well. In summary, the traffic channels of absolute majority of Tor relays (Internet backbones and satellite links) are easily accessible by the US intelligence agencies. Intercepting and correlating all Tor traffic is thus a question of willpower and resources prioritization, not viability. -- Maxim Kammerer Liberté Linux (discussion / support: http://dee.su/liberte-contribute) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 6, 2012 at 4:04 PM, Paul Syverson wrote: > I'm a mere four years behind in putting my work up on the web, and > this one wasn't co-authored so nobody else did either. I'll try to do > something about that in my copious free time this week and send a > link. Please do, this attack you mention is one I've been very interested in. I'm sure many others would also love to read more about it. It's time the myth of the GPA was challenged. I don't think active correlation attacks can be defended against, but I think they can at least be detected. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, 2012-03-06 at 16:20 -0800, Seth David Schoen wrote: > and...@torproject.is writes: > > > The GPA is in every paper on the topic. But only Seth has the real > > answer. > > I was concerned that the graphic should not make people think that > _no one_ can ever associate them with their browsing when they use > Tor. I've been taught to think of the GPA threat (and other traffic > correlation threats) as real, so I thought people should have some > indication of those threats. > Is it unfair to say that, properly used and in the context given in the graphic (using HTTP(S) websites), there is no known adversary that can associate them with their browsing? I'm not a full-time PET researcher, but smarter people than myself in this thread seem to think the GPA is more of a myth than a reality. Yes, the GPA is in every paper, but what you put in papers is different from what you put in introductory material. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
and...@torproject.is writes: > The GPA is in every paper on the topic. But only Seth has the real > answer. I was concerned that the graphic should not make people think that _no one_ can ever associate them with their browsing when they use Tor. I've been taught to think of the GPA threat (and other traffic correlation threats) as real, so I thought people should have some indication of those threats. -- Seth Schoen Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 06, 2012 at 02:04:11PM -0500, te...@riseup.net wrote 3.5K bytes in 90 lines about: : The graphic here seems to be the EFF graphic from the OP in this thread. : Did you mean something else? Or did you mean to say, "there's already : one story using this graphic as proof that the NSA can break Tor"? The latter. English fail on my part. : It is true that Tor is weak against a global passive adversary, but : there's no reason, from my point of view, to include that in material : geared towards non-PET researchers. Maybe Seth could comment on why the : EFF decided it was necessary to include it? The GPA is in every paper on the topic. But only Seth has the real answer. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 6, 2012 at 23:04, Paul Syverson wrote: > The suggestion was that people _stop_ working on > defeating the GPA, which is unrealistic as both too strong (global) > and too weak (passive). While this may be true in the theoretical sense, it doesn't mean that one can't make correlation attacks less practical. I find it hard to believe that right now NSA, for instance, has Tor traffic analysis tightly integrated into its worldwide communications sniffing framework, simply because it's too much of a logistic problem, and anonymous networks are unlikely to be sufficiently high-profile targets so as to warrant expending the resources to deal with the logistics (yet). But I think that it is entirely believable that NSA has a dedicated project (even if only for research purposes) where the traffic from all known relays (a relatively stable pool of ~3000 nodes?) is sniffed and analyzed — that would be relatively simple to setup and maintain, given the unlimited interception capabilities. And you can combat the latter — by extending and popularizing the entry bridges concept, implementing exit bridges, making all clients relays by default (even if that won't contribute significant bandwidth), etc. -- Maxim Kammerer Liberté Linux (discussion / support: http://dee.su/liberte-contribute) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 06, 2012 at 04:04:10PM -0500, syver...@itd.nrl.navy.mil wrote 1.5K bytes in 33 lines about: : Is that a typo? The suggestion was that people _stop_ working on Yes, I meant stop. When skynet achieves consciousness, the analysis of traffic on the Internet will be the least of our problems. -- Andrew http://tpo.is/contact pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, Mar 06, 2012 at 12:22:16PM -0500, Andrew Lewman wrote: > > At PETS in 2009[0], Paul did a talk on 'why I'm not an entropist' and > suggested that people need to start working on defeating a mythical > global passive adversary. Maybe in the near future some government will > have the capability of being the global passive adversary. > Is that a typo? The suggestion was that people _stop_ working on defeating the GPA, which is unrealistic as both too strong (global) and too weak (passive). I've been making the same point for over 15 years, but this was an attempt to sum a lot of that up in one place. Adversaries may be really large, but it's generally unrealistic to consider any one of them truly global on the internet. (In the paper I call realistically large adversaries, The Man.) And passive makes your mathematical proofs cleaner (and sometimes doable at all) but assuming your adversary can't even make use of delaying packets passing by him for a few milliseconds is ridiculous. So you what you end up proving doesn't really tell you much about real systems even in principle. Which is why I (and others) have been working on better models. I'm a mere four years behind in putting my work up on the web, and this one wasn't co-authored so nobody else did either. I'll try to do something about that in my copious free time this week and send a link. aloha, Paul ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, 2012-03-06 at 12:22 -0500, Andrew Lewman wrote: > On Tue, 06 Mar 2012 11:22:33 -0500 > Ted Smith wrote: > > While I like the graphic overall, I think the "NSA as a global passive > > adversary" element is an example of the graphic being overloaded with > > information that will confuse/scare away most people. > > So far, there is one story where Eva claims the NSA can break tor > easily, see this Tor and HTTPS graphic as proof: > > https://secure.security.nl/artikel/40574/1/%2522NSA_kan_Tor-gebruikers_identificeren%2522.html > The graphic here seems to be the EFF graphic from the OP in this thread. Did you mean something else? Or did you mean to say, "there's already one story using this graphic as proof that the NSA can break Tor"? > If your adversary is any rumored global passive adversary that can watch > and record the entire Internet at once, then you've probably already > lost the game. > > At PETS in 2009[0], Paul did a talk on 'why I'm not an entropist' and > suggested that people need to start working on defeating a mythical > global passive adversary. Maybe in the near future some government will > have the capability of being the global passive adversary. > > [0] http://petsymposium.org/2009/program.php > Your use of the words "rumored" and "mythical" are exactly why I don't think a global passive adversary should be in an educational graphic for people who don't know what Tor is. A global passive adversary seems very unlikely now, and it seems even more unlikely that such an adversary would be able to act on intelligence gained from being in that position. It is true that Tor is weak against a global passive adversary, but there's no reason, from my point of view, to include that in material geared towards non-PET researchers. Maybe Seth could comment on why the EFF decided it was necessary to include it? signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, 06 Mar 2012 11:22:33 -0500 Ted Smith wrote: > While I like the graphic overall, I think the "NSA as a global passive > adversary" element is an example of the graphic being overloaded with > information that will confuse/scare away most people. So far, there is one story where Eva claims the NSA can break tor easily, see this Tor and HTTPS graphic as proof: https://secure.security.nl/artikel/40574/1/%2522NSA_kan_Tor-gebruikers_identificeren%2522.html If your adversary is any rumored global passive adversary that can watch and record the entire Internet at once, then you've probably already lost the game. At PETS in 2009[0], Paul did a talk on 'why I'm not an entropist' and suggested that people need to start working on defeating a mythical global passive adversary. Maybe in the near future some government will have the capability of being the global passive adversary. [0] http://petsymposium.org/2009/program.php -- Andrew http://tpo.is/contact pgp 0x6B4D6475 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On 6 March 2012 04:55, Seth David Schoen wrote: > https://www.eff.org/pages/tor-and-https Excellent stuff, thank you! In particular well done for keeping it at just the right level of complexity and not overloading it with information that will confuse/scare away most people. I like the idea of pointing people to this picture, asking them "do you want THIS?" and then being able to point to the Tor Browser Bundle as a one-stop solution that provides exactly THIS. (Now all we need to do is somehow convince the other 99% of the population that the "NSA", "police", "sysadmin" and "lawyer" icons are not some privacy activist's pipe-dream but real threats) Cheers Alex ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
On Tue, 2012-03-06 at 15:38 +, ix4...@gmail.com wrote: > > In particular well done for keeping it at just the right level of > complexity and not overloading it with information that will > confuse/scare away most people. While I like the graphic overall, I think the "NSA as a global passive adversary" element is an example of the graphic being overloaded with information that will confuse/scare away most people. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and HTTPS graphic
Nice, I like it very much. It also demonstrates the need for DNSCrypt, then "site.com" would also disappear from a few places. Can you release the source code for the demonstration? That would allow other to build up on your work. Other things like DNSCrypt, distributed DNS, alternative web of trust (HTTPS), evil https certificate authorities and so on could be added to the graphics. __ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
