[liberationtech] Anonymity Smackdown: NSA vs. Tor
Kyle Maxwell
kylem at xwell.org
Tue Aug 6 20:43:39 PDT 2013
So Robert Graham, professional security dude and sometimes friendly
troll, posted a blog article[0] about weaknesses in Tor, centered on
likely attacks by the NSA.
The key, obviously, is the primary assertion that the NSA runs "lots"
of Tor nodes. I've seen this assertion before, and while it's
certainly a reasonable assumption, I don't know if anybody outside the
NSA actually has hard evidence for that. Runa Sandvik's excellent
talk[1] at DEF CON 21 started to address this, but clearly more work
remains to be done here.
Assuming that assertion holds, the architectural criticisms start to
matter more: 3 hops, 1024 bit RSA keys, etc. Other criticisms are
really about operational security: sending non-encrypted traffic (e.g.
HTTP) over Tor that can be monitored at the exit node or running the
Tor proxy on the same system as the browser. Actually, that latter is
arguably an architectural problem as well, with experiments like
Whonix and Portal of Pi[2] trying to address this.
These are important considerations for users who use Tor as more than
just a free VPN and have a much more complicated threat model.
[0]: http://blog.erratasec.com/2013/08/anonymity-smackdown-nsa-vs-tor.html
[1]: https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Sandvik
[2]: https://github.com/grugq/PORTALofPi
--
@kylemaxwell
More information about the liberationtech
mailing list