Hey Juan. I feel like I have something to add to this discussion, even though
generally, as others have said, this is not a new discussion.
Juan Garofalo <juan....@gmail.com> wrote:
>Tor cannot protect individuals from organizations that can monitor
>'big' parts of the internet. Organizations such as the US government,
>for instance. In that sense Tor is flawed.
This is the same as saying that any safe or vault can be opened by someone with
a powerful enough laser or explosive, yet we still use safes and vaults to
safeguard precious possessions and sensitive documents, don't we?
This is a basic security metaphor that must be understood. There are no
absolutes. It is about how hard you make your adversary work. This is the real
world of humans trying to get some digital advantage against very real, well
funded adversaries.
For combating mass dragnet activities, Tor is fantastic. For circumvention, Tor
is fantastic. For always defending 100% against the alpha dog surveillance
organization on the entire planet? Maybe Tor has some trouble there, but I
don't consider it a flaw, unless you can show me 100% total correlation of all
in and outbound traffic, such that it is *worse* to use Tor than not to.
With my work on Tor for Android, there are obviously a million horrible
eventualities that could come about by expecting privacy on a smartphone with a
SIM card. Yet, many people use Orbot, and are very happy with the protection
and freedom provides, even though they understand Google may know something
about them, or that the telcomms do know many things. Tor gives them a small
window of freedom, and if configured properly on a secure phone, a great deal
of freedom.
>I understand that the flaw is an inherent limitation of the way Tor
>works and it hasn't been put there 'on purpose'. But the fact remains,
>it is a bug, or feature, of Tor's design.
Tor is used by a wide variety of people, and it is designed with many user
stories in mind.
Yes one user story is "I want to remain anonymous from the US government" for
sure.
Another one though is "I want to access a website blocked in my country" and "I
want to make sure the admin of the network I am on cannot intercept or track my
email traffic, so they won't be alerted that I work for X human Rights group".
When you get out into the real world, the antiseptic stance you are taking
doesn't matter quite so much. Saying Tor is flawed because it doesn't withstand
the worse case scenario crypto-armageddon is just not an interesting a
discussion to have for the fourth or fifth time.
Finally, one of the most promising uses of Tor are around whistleblowing
services like Globaleaks, which require a Tor hidden service to access. In that
case, the global adversary problem does not exist, as the Tor exit and the web
service are on the same box.
Best,
Nathan
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
