p2pnet.net news:- Today, p2pnet ran an item saying according to a new research paper, Tor may not be as safe as people believe it is.

However, in a comment post, Shava Nerad, executive director of the Tor project, states, unequivocally, that’s not the way it is.

Not even nearly.

Here’s a statement in Nobody Knows You‘re a Dog.

>>>>>>>>>>>>>>>>>>>>>>>>>

The security community lives on papers that analyze attacks on security tools. Although these are called ‘attack papers’ they are usually done by people who are trying to help and refine the object of the research.

When an attack paper is published, documenting an attack on the Tor network, it’s often with our knowledge. The authors consult with us for inside info. But invariably, someone on slashdot or other blogs will skim the paper and say ‘OMG, Tor is broken!’

Using Tor is relatively safe. If there were a published way to attack the network that we thought made it less safe to use Tor, we’d tell you first †since, so far, the authors of every genuinely new vulnerability have told us before their work hit the web. We announce security patches and other issues on or-announce@freehaven.net.

The UColorado/Boulder technical paper is an example of the evolving research in anonymity. Refining well-known attacks from several years ago, the researchers better documented what an attack on the network might look and behave like. They combined a bandwidth overstatement attack with a correlation attack.

They consulted with us on the project. We are aware of these kinds of potential attacks – but such a bandwidth overstatement attack, to be successful, would leave fingerprints all over the Tor directories. We have never seen such an attack ‘in the wild,’ and we think it no more likely that this paper would make such an attack easier or more likely than it was a few years ago when another version of it was documented.

The authors of the new paper are preparing a FAQ to talk about how users should think about their research – they expressed their surprise and regrets at the uproar. I’ll post a link to that here as an update of this article later today.

An early draft includes this statement:

Q0. Most importantly, should we stop using Tor?

A0. ABSOLUTELY NOT! Despite our findings, Tor is the most secure and usable privacy enhancing system available. We believe that the system is safe for end-users, however, the system is experimental and the developers make no guarantees about the degree of privacy that it can provide. Let use re-iterate: Concerned users should NOT stop using Tor.

No internet security is 100%. Tor is not perfect – we’re constantly refining it, in a context of a hugely supportive community of researchers. But we believe we are still the best low-latency (i.e. allowing web surfing, not just transferring a file every few hours) anonymity/privacy one can have online without crossing a line of civility. Your only better option is to buy into a botnet, steal an identity, or participate in some other crime with a victim.

We are currently seeking funding that should help us close these vulnerabilities in Tor (and if you would like to donate or fund Tor development, please contact me!). We have plans to close the bandwidth overstatement vulnerability in the coming months. In the meantime, we watch for attacks on the network, and work to be transparent in our operations.

We appreciate that people care about Tor. If in the future you are worried about some issue in Tor, please feel free to contact us directly. If you read speculation about Tor, please encourage the bloggers to check with us †we’re very blogger friendly, and part of our purpose is to protect bloggers where blogging isn’t safe.

Imagine this scenario – a very small risk documented in a technical paper gets sensationalized in the blogosphere. Some number of dissidents and bloggers in places such as China abandon Tor. As a result, they might be arrested, jailed, or disappeared.

Blogstorms can have real world consequences. Please ponder before you write, critically examine what you read, and ask us for updates.

Stay tuned.

Slashdot it!

Also See:
research paper – Tor anonymity can be compromised, February 26, 2007
Nobody Knows you’re a Dog – The rumours of our demis …, February 26, 2007

If your Net access is blocked by government restrictions, try Psiphon from the Citizen Lab at thIs the end (of the Net) nigh?zze University of Toronto’s Munk Centre for International Studies. Go here for the official download, here for the p2pnet download, and here for details. And if you’re Chinese and you’re looking for a way to access independent Internet news sources, try Freegate, the DIT program written to help Chinese citizens circumvent web site blocking outside of China. Download it here.

---

rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php | | And use free p2pnet newsfeeds for your site

---

Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local politicians. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance. Don’t just complain. Do something!

This entry was posted on Monday, February 26th, 2007 at 4:50 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2070 times