
HTTPS and Tor: Working Together to Protect Your Privacy and Security Online - Garbage
https://www.eff.org/deeplinks/2012/03/https-and-tor-working-together-protect-your-privacy-and-security-online
======
summerdown2
This assumes the NSA don't have a root CA they can use to man in the middle
SSL - an assumption that seems unlikely, given other well-publicised breaches
of CA's:

[http://www.pcworld.com/businesscenter/article/249510/trustwa...](http://www.pcworld.com/businesscenter/article/249510/trustwave_admits_issuing_maninthemiddle_digital_certificate_mozilla_debates_punishment.html)

[http://www.schneier.com/blog/archives/2010/04/man-in-the-
mid...](http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html)

[http://www.darkreading.com/authentication/167901072/security...](http://www.darkreading.com/authentication/167901072/security/attacks-
breaches/231600498/digital-certificate-authority-hacked-dozens-of-phony-
digital-certificates-issued.html)

[http://betanews.com/2010/03/25/has-ssl-become-pointless-
rese...](http://betanews.com/2010/03/25/has-ssl-become-pointless-researchers-
suspect-state-sponsored-ca-forgery/)

<http://lwn.net/Articles/372264/>

<http://blogs.cisco.com/security/black_hat_usa_2009_summary/>

... etc

------
runn1ng
Every other site now is either directly blocking Tor users or at least make
its use problematic.

I know it's mainly because of abusers, but once every bigger site doesn't
allow Tor users, it makes the Tor use too complicated.

~~~
CodeMage
I'm curious: how do they block Tor users? I don't know much about Tor, but I
thought that the whole point was that one Tor user should be indistinguishable
from another and that they all should be indistinguishable from "normal"
users.

~~~
ofashenaw8w3
edit: see below

Tor isn't indistinguishable from normal use, that's a big reason why they want
as many people using it for everyday browsing as possible.

They are trying as much as possible to minimize the distinctiveness, currently
making it very similar to https traffic, and with Obfsproxy recently
introduced.

So they can know that you are using Tor if they try hard enough, but not what
you are doing with it, which is the important part.

edit:

The previous comment was about what a state can determine about you. Websites
can just download the list of exit nodes and block access from those IPs.

~~~
CodeMage
Ah, so that's where I was wrong: I thought everyone would be an exit node,
too. Thanks for clearing it up!

~~~
98t9w3ha
Everyone could be if they wanted, but obviously it makes it look like someone
else's traffic came from your home, so only a good idea if you're prepared for
dealing with any complaints that could arise from that.

------
yuhong
SSL is essential for any site that requires logins to protect your
username/password and session to protect it from being hijacked. Tor only
needs to be used if anonymity is necessary.

