« links for 2007-02-26 | Main | links for 2007-02-27 »

February 27, 2007

Tor responds to safety concerns


tor 淘(上网一套)
Originally uploaded by Isaac Mao.

Isaac Mao posted this great mashup to his Flickr stream last summer, reflecting the enthusiasm of many Chinese Internet users for Tor.

Tor is a toolset developed by a non-profit team that helps you circumvent Internet censorship and increases your privacy and security as you surf the web. (Disclosure: I'm on Tor's Board of Directors)

On Sunday some people began to worry that people may have been putting too much faith in Tor after somebody posted on Slashdot about a technical paper (PDF) that lays out an attack against Tor - in other words exposing one of its vulnerabilities that might enable an attacker to trace a user through the network.

The Tor team has posted a detailed blog post in response. An excerpt:

Using Tor is relatively safe. If there were a published way to attack the network that we thought made it less safe to use Tor, we’d tell you first — since, so far, the authors of every genuinely new vulnerability have told us before their work hit the web. We announce security patches and other issues on [email protected].

The UColorado/Boulder technical paper is an example of the evolving research in anonymity. Refining well-known attacks from several years ago, the researchers better documented what an attack on the network might look and behave like. They combined a bandwidth overstatement attack with a correlation attack.

They consulted with us on the project. We are aware of these kinds of potential attacks — but such a bandwidth overstatement attack, to be successful, would leave fingerprints all over the Tor directories. We have never seen such an attack “in the wild,” and we think it no more likely that this paper would make such an attack easier or more likely than it was a few years ago when another version of it was documented.

They point out that the UColorado Boulder researchers were themselves surprised at the furore their paper has created, and have now posted an FAQ. The first Q&A:

Q0. Most importantly, does this attack mean that we should stop using Tor?

    A0. ABSOLUTELY NOT! Despite our findings, Tor is the most secure and usable privacy enhancing system available. We believe that the system is safe for end-users; however, the system is experimental and the developers make no guarantees about the degree of privacy that it can provide. Let us re-iterate: Concerned users should NOT stop using Tor.

    For the short-term, the maintainers of the Tor directory servers can monitor the router list to ensure that there are no anomalous advertisements, and blacklist any suspicious routers. In our paper, we point out several counter-measures that significantly reduce the attack's effectiveness by increasing the resources required by an attacker to mount the attack.

The Tor team emphasizes that Tor is not 100% secure and nor is any other tool.  They have always been open with the public on their website and in their public information e-mail lists about what their vulnerabilities are and welcome researchers to help them find vulnerabilities so they can be fixed. They're a small team working for a newly-established non-profit organization and are seeking funding so that they can do more to close Tor's vulnerabilities ASAP. In conclusion they point out:

We appreciate that people care about Tor. If in the future you are worried about some issue in Tor, please feel free to contact us directly. If you read speculation about Tor, please encourage the bloggers to check with us — we’re very blogger friendly, and part of our purpose is to protect bloggers where blogging isn’t safe.
Imagine this scenario — a very small risk documented in a technical paper gets sensationalized in the blogosphere. Some number of dissidents and bloggers in places such as China abandon Tor. As a result, they might be arrested, jailed, or disappeared.

Blogstorms can have real world consequences. Please ponder before you write, critically examine what you read, and ask us for updates.

If you're interested in learning more about all this stuff, one of the smartest writers about Internet "hacktivism" is my friend and former colleague Ethan Zuckerman. Check out his guide to anonymous blogging with Wordpress and Tor; thoughts on how cyber-activists should approach privacy and circumvention "threat models", and evaluation of Psiphon, another tool that takes a different approach to circumvention, and comparison with Tor.

Click here for slides of a workshop Ethan did with security expert/ "hactivist" Nart Villeneuve on how to use Tor and other circumvention and privacy tools.

Posted at 04:13 AM in Censorship, China, Cyber-activism, Freedom of Speech |

Comments

Stogie

Thanks to TOR I now have a cyberstalker who harrasses me daily at my blog and I can't ban him. How do I get his TOR account terminated?

The cyberstalker refers to himself as "Meatbrain" and operates from www.thinkingmeat.net. His email is [email protected].

Since you're on the Board of TOR, consider this a formal complaint.

Posted by: Stogie | September 16, 2009 at 09:20 PM

The comments to this entry are closed.

About

My Photo

Global Voices


  • Global Voices Online - The world is talking. Are you listening?

  • Donate to Global Voices - Help us spread the word
Blog powered by Typepad
Member since 10/2004

license

My book:

Consent of the Networked
Coming January 31st, 2012, from Basic Books. To pre-order click here.
Watch my TED talk!

Recent Posts

AddThis Feed Button

Archives

More...

Categories