Ethical Tor

[Mirimir]

On 11/11/2015 07:59 PM, Ryan Carboni wrote:
>> On 11/11/2015 12:27 PM, Ryan Carboni wrote:
>>> * https://blog.torproject.org/blog/ethical-tor-research-guidelines <https://blog.torproject.org/blog/ethical-tor-research-guidelines>
>> *> >* Interesting problem: to use Tor is to say you trust your ISP less than
>> *>* some pseudorandom person over the internet.
>> *

[Mirimir wrote]

>> Sadly enough, that's often prudent. Some ISPs are honorable, for sure.
>> But many are duplicitous scum.
>>
>> In any case, it's more accurate to say that about your VPN provider.
>> With Tor, you're trusting the system, but system integrity is resilient
>> to malicious nodes. So you're not trusting any one of them fully, even
>> your entry guard, as much as you would have been trusting your ISP.
>>
>>
> Correct, it would be prudent to avoid using port 80 over Tor for anything
> personally identifiable.
> 
> http://motherboard.vice.com/read/court-docs-show-a-university-helped-fbi-bust-silk-road-2-child-porn-suspects

You neglected to identify my response!

Anyway, CMU's attack did manage to compromise some onion services, most
notably SR2.[0] And I'm not impressed with the Tor Project's
performance. They apparently ignored the CMU attack for five months.
Maybe they got blindsided by a zero day vulnerability. Or maybe they
just weren't paying enough attention.

But the SR2 connection came up in a comment, and there's no mea culpa
for the delay, just blame on CMU. It's stuff like this that fuels
conspiracy theories about Tor and the US military.

Also, your comment about port 80 makes no sense in this context. The CMU
attack deanonymized onion services, not users. And port 80 with onion
services is secure. It's non-encrypted traffic through exit nodes that's
insecure. There's no exit node when using onion services.

[0] https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users