[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Is this still valid?



U.R.Being.Watched writes:

> http://www.deseret-tech.com/journal/psa-tor-exposes-all-traffic-by-design-do-not-use-it-for-normal-web-browsing/

There are some mistakes in the article -- for example the notion that
Tor "was built for a specific purpose, which was the circumvention of
restrictive firewalls" like the Great Firewall of China.

If you read the original Tor design paper from 2004, censorship
circumvention was actually not an intended application at that time:

https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf

("Tor does not try to conceal who is connected to the network.")

That has subsequently changed, the project adopted anticensorship uses
as an additional goal, and nowadays Tor does sometimes try to conceal
who is connected to the network, when they ask it to.  (Sometimes this
succeeds against a particular network operator, and sometimes not.)

But the original design goal was privacy in a particular sense, and
not censorship circumvention.

My colleagues and I made an interactive diagram a few years ago to try
to explain the same concern that this article presents.

https://www.eff.org/pages/tor-and-https

One part of it is that if you use Tor without additional crypto protection
to your destination (like HTTPS), a different set of people can eavesdrop
on you than if you didn't use Tor at all.  That's definitely still
true and is always a basic part of Tor's design.  You might think those
people are better or worse as eavesdroppers than the nearby potential
eavesdroppers.  The faraway eavesdroppers might be more organized and
malicious about it, but they also might start out not knowing who you are.
Whereas the nearby eavesdroppers might physically see you, or have issued
you an ID card, or have your credit card.

As we thought when we made that diagram, probably the best solution for
this is more and better HTTPS.  At some point (which may already be in the
past), it might even be a good idea for Tor Browser to refuse to connect
to non-HTTPS sites by default, although that might be a difficult policy
to explain to users who don't understand exactly what HTTPS is and how
it protects them, and just see that Tor Browser stops being able to use
some sites that Internet Explorer can work with.

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk