On Fri, 02 Mar 2012 00:12:44 +0100 "proper proper" <pro...@secure-mail.biz> wrote:
> You ask the user not to use Bittorrent over Tor, as the network can > not handle the load. bittorrent trackers are fine, it's the bulk download of GB of data 7x24 that loads up the network. > What about operating system updates behind a Transparent Tor Proxy? > The same goes for the installation of legitimate software. No warez. > "apt-get install gnome" I do this all the time over tor. I trust tor exits more than wireless networks in hotels, airports, schools, and other locations. The latest TBB release allows me to stream youtube html5 videos over tor. In fact, sometimes when I travel, I scp my virtual machines over tor rather than risk a laptop search and seizure at a border. I expect that tor the protocol and network should punish me for asking to transfer so much data. I don't care if my apt-get takes an extra 10 minutes to complete. I don't care if my vm disk transfer takes all night rather than one hour. De-prioritizing my bulk traffic is fine if others get webpages, instant messages, and the like through faster. The trick is, I like to think I know what I'm doing and that I'll notice if apt-get or my VM image fails to transfer untouched. Whether I'll actually notice a sophisticated exploit in deb packages or my vm image modified in perfect way that gpg or sha256 hashes don't detect, remains to be seen. If I pulled a random person out of a barcamp and asked them to do a OS X or Windows update over transparently proxied tor, would they notice if the package was modified in transit? What do these OSes do in this case? What about freebsd ports? Or other package systems? What about all of the other software that updates itself automagically without a system package manager? The details from a central http://mitmproxy.org/ are fascinating to see how much stuff on my network uses cleartext data and protocols and never even check for a sha-1/md5 hash, nevermind .asc code signed packages. It's also scary to see what never checks if the ssl cert is valid or not. ssl-cert-snakeoil works fine for a surprising amount of software. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk