Roger Dingledine writes: > But in this particular case I'm stuck, because the arms race is so > lopsidedly against us. > > We can scan for whether exit relays handle certain websites poorly, > but if the list that we scan for is public, then exit relays can mess > with other websites and know they'll get away with it.
I think the remedy is ultimately HTTPS everywhere. Then the problem is reduced to checking whether particular exits try to tamper with the reliability or capacity of flows to particular sites, or with the public keys that those sites present. (And figuring out whether HTTPS and its implementations are cryptographically sound.) The arms race of "we don't really have any idea what constitutes correct behavior for these vast number of sites that we have no relationship with, but we want to detect when an adversary tampers with anybody's interactions with them" seems totally untenable, for exactly the reasons that you've described. But detecting whether intermediaries are allowing correctly-authenticated connections to endpoints is almost tenable, even without relationships with those endpoints. (I do think that continuing to work on the untenable secret scanning methods is great, because attackers should know that they may get caught. It's a valuable area of "impossible" research.) Yan has just added an "HTTP nowhere" option to HTTPS Everywhere, which prevents a browser from making any HTTP connections at all. Right now that would probably be quite annoying and confusing to Tor Browser users, but maybe with some progress on various fronts it could become less so. -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk