
Tor and HTTPS - claudius
https://www.eff.org/pages/tor-and-https
======
frisco
I think this is misleading. I now believe that the NSA has the private keys
for substantially all SSL certs in use, and I expect that a non-trivial
percentage of Tor nodes are run by the government.

SSL certs require cooperation of a trusted registrar even for the biggest
companies -- Google's is signed by Equifax, for example. Given what we've seen
in the last few days, requesting keys from the root CAs is a no-brainer.

For Tor, a bunch of attacks are possible by owning only a small percentage of
all nodes. Recently, Tor was issuing a "call for relays" due to a dwindling
number of participants that was endangering the network. Considering that Tor
came out of Navy research, if you don't think they have a statistically
interesting number of nodes, you're crazy. If they don't, it's only because
they don't think that Tor is an interesting source right now.

TL;DR: Security depends on your threat model, and while I think that Tor and
HTTPS provide strong protection from run-of-the-mill attackers, I don't think
that either provides meaningful security if you're worried about the NSA.

~~~
sneak
> SSL certs require cooperation of a trusted registrar even for the biggest
> companies -- Google's is signed by Equifax, for example. Given what we've
> seen in the last few days, requesting keys from the root CAs is a no-
> brainer.

Getting a root's key does not enable them to decrypt the traffic. Getting the
server's SSL private key USUALLY means you can retroactively decrypt, but it
is possible (though uncommon) for servers to be configured to use ephemeral
keys (EDH modes) which provide perfect forward secrecy (that is, the property
that the session key can't be recovered even with later compromise of the
server's long-term key).

Interesting sidenote: AFAIK there are no widely-supported (TLS 1.1 or below)
methods of mitigating the BEAST attack while enabling PFS - those modes are
TLS 1.2+ which isn't widely spoken yet.

 _This is all irrelevant though._ The issue is with the tech companies giving
them the plaintext data themselves. No amount of transport-layer encryption
helps with that.

You have to stop using US services.

~~~
frisco
I can't update my original post now, but I stand corrected. I "remembered"
uploading the private key with the CSR last time I went through the process,
but must have misremembered. Well, that's _some_ good news I guess. The NSA
could still easily request the private key from the company, of course.

~~~
sneak
You don't share your private key with the CA.

A certificate is an attestation (signature) by a CA's private key that a given
PUBLIC key is yours, that anyone with the CA's public key can verify.

The CSR does not contain your private key.

NONE OF THIS MATTERS. This is not about bulk-decrypting SSL, though I'm sure
NSA does that when and where they can, too. This is about coordinated,
automated, integrated methods of transmitting the plaintext.

Why should they bother getting a key and scraping gmail's payloads when they
could just have Google give them an API? Furthermore, this method would
continue working perfectly even ifwhen services switched to ephemeral key
modes that provide PFS.

------
wyck
The important part of the diagram for Tor is the first NSA character, as you
can see it still shows "Location" before you are routed through the Tor relay.

With the location information it is possible to correlate the exit information
via pattern matching, though it would take considerable analysis, this can be
done by logging volume and timing information on the two sides. I am sure
there are even better techniques to analyze exit/entry correlations,
especially if you're not using a secure browser.

So having a private VPS doesn't really matter, in fact it can make matters
worse because you are adding layers that can be "watched" before you hit an
entry node, the more data that can be logged the easier it is to track.

You're best option is to choose random nodes, connect at random times and also
look into using Tor bridges. If possible using several different IPS's or even
better random wi-fi hotspots, though this is hardly convenient for most users.

Tor bridges:
[https://www.torproject.org/docs/bridges.html.en](https://www.torproject.org/docs/bridges.html.en)

Whitepaper on Tor passive logging attacks (pdf):
[http://people.cs.umass.edu/~mwright/papers/wright-
passive.pd...](http://people.cs.umass.edu/~mwright/papers/wright-passive.pdf)

~~~
runeks
> With the location information it is possible to correlate the exit
> information via pattern matching, though it would take considerable
> analysis, this can be done by logging volume and timing information on the
> two sides. I am sure there are even better techniques to analyze exit/entry
> correlations, especially if you're not using a secure browser.

I've thought the same. But I've also thought that if this is indeed possible,
why does Silk Road still exist? Or does this analysis only apply Tor clients
connecting to websites, and not Tor hidden services?

~~~
haakon
Hidden service routing works quite differently that regular exiting traffic.
Twice the number of relays are involved, and the traffic is end-to-end
encrypted instead of being visible to any relay (such as an exit node).
Correlation attacks are always possible to a global passive adversary (which
NSA may or may not be), but as far as I can tell, they seem much harder to
pull off against hidden services.

------
belorn
An excellent illustration for those already familiar with the concepts.

However, I not sure its that easy to understand for those who don't know what
"location" means, and the text is slightly small and hard to read. It would be
a great improvement if they showed a small help text if one hovered over a
label inside one of the yellow boxes.

Still, a very excellent job of EFF.

~~~
eugene-d
I guess "location" means "IP Address". It's not your location in the URL bar,
as HTTPS encrypts the connection, not just HTTP request body.

~~~
icebraining
HTTPS doesn't encrypt the domain. That said, Tor does.

~~~
buzzkills
https encrypts the host header (indeed all the http headers), so yes it does
encrypt the domain in that respect. What it can't encrypt is the destination
IP address, which would be reverse looked up to the domain if everything was
configured right in the DNS.

~~~
knome
This is no longer true.

Seeing as HTTPS sites could not previously share an IP address, making it
obvious which site communications with any given IP address was directed
towards, an extension was developed that now sends the desired host
unencrypted before the encrypted package.

This doesn't yield any more information that could previously be derived, but
does allow you to serve as many HTTPS sites from a single host as you wish.

[http://en.wikipedia.org/wiki/Server_Name_Indication](http://en.wikipedia.org/wiki/Server_Name_Indication)

~~~
buzzkills
I stand corrected and I've learnt something :)

------
bcl
You can help contribute -
[https://cloud.torproject.org/](https://cloud.torproject.org/)

Note that you can reduce your costs by using spot instances.

~~~
yegg
Do you have any sense how many nodes (or I guess how much bandwidth or even
something else I'm not thinking of) it would take to make a material
difference on the speed of the network?

~~~
bcl
I don't know, but you can monitor the status of the network here -
[http://torstatus.blutmagie.de/](http://torstatus.blutmagie.de/)

------
B0Z
Maybe I'm misinformed, but I thought the big problem has less to do with data
in transit than it does with the destinations (Google, Facebook, Microsoft,
etc) working hand-in-hand with the NSA? What am I missing?

~~~
Splendor
Yep. It doesn't matter how you securely you get your data to Company X if
Company X is handing the data over to the NSA.

~~~
dllthomas
Tor hidden services could help, though.

~~~
path411
As long as you aren't using a service with your actual data. If I use Tor to
connect to facebook and input my personal information, Tor is only protecting
my data in transit. The NSA can still request the data from my account from
facebook.

~~~
dllthomas
With a Tor hidden service, the NSA cannot necessarily _find_ the service
provider. Of course, neither can I, so there is a whole different set of
threats (and it could be the NSA providing the service in the first place) but
it does help a little with this specific problem.

------
alextebbs
Interesting how everyone in the diagram except the user, the sysadmin, and the
relay nodes have "evil eyes".

~~~
giardini
Yes. Undoubtedly sysadmins are responsible for some, if not most of the most
egregious handoffs of data to outsiders (legal or illegal).

------
VexXtreme
What happens if NSA starts operating a number of Tor exit nodes and
eavesdropping on the outgoing traffic? What prevents them from doing so?

~~~
doomrobo
Nothing, but they would still not know where the traffic is coming from. The
"Onion" defined in the Tor protocol is unwrapped layer by layer by each node.
So the NSA has a choice where no option would help them too much: 1\. Be the
first node you access and be able to see your IP but not your traffic 2\. Be
the last node and be able to see your traffic but not your IP 3\. Be a middle
node and see neither

~~~
sdfjkl
Can't they do both 1 and 2 and correlate the information?

~~~
dllthomas
Yes. Which is why we need to keep a lot of nodes running, and part of why Tor
hidden services are a good thing.

------
showsover
How legal is operating a Tor node? I'm thinking of putting up a machine (and a
VPS) to just run a node. I just don't want to get into legal trouble for
running a(n exit) node.

~~~
ancarda
Running a regular node is fine as you're routing encrypted information for the
Tor network - your unlikely to get any hassle although check your countries
laws on crypto first.

Running an exit node may be a different story. You could get false DMCA
takedown notices or get charged with someone else's crime. Think of it this
way; you're running an open proxy. Uses of Tor can send any traffic through
your connection. That being said, some ISPs are ok with it, others won't
tolerate it.

I suggest you checkout [https://blog.torproject.org/running-exit-
node](https://blog.torproject.org/running-exit-node) if your really serious
about running an exit node.

~~~
csomar
Then, maybe, use Bitcoins for payment and Tor+HTTPS while signing up for the
hosting provider?

~~~
noerps
Bitcoin transactions are chained, that may compromise you.

But you could use an anon currency-exchange or currency-bridge like
paysafecard.com to obtain some value and obtain bitcoin with that value and
never use that bitcoin key again to avoid that.

~~~
throwmeaway33
Is there no system to swap ownership of coins?

If not there should be. You send X amount of bitcoins to a middle man who then
gives you X amount back. Technically they will be different coins and they'll
go to a different account #, so you can't trace anything.

~~~
stordoff
Take a look at mixing services[1], which seek to do exactly that.

[1]
[https://en.bitcoin.it/wiki/Mixing_service](https://en.bitcoin.it/wiki/Mixing_service)

------
chj
The problem of HTTPS is that you will need certification from some CAs which
may be working with government agents.

~~~
icebraining
Yeah, and even if you get a certificate from a CA which isn't, it doesn't
matter, since _any other CA_ can still issue a cert for your domain.

~~~
tonfa
Cert pinning and
[http://tools.ietf.org/html/rfc6962](http://tools.ietf.org/html/rfc6962) would
help for those cases.

~~~
noerps
Yay for a trust automaton, another level of complexity that won't solve
anything.

------
btipling
Why does the graphic portray police as mean angry people. Police are good
people who provide a valuable service. They do a good thing. They are not the
enemy.

~~~
duairc
No, they don't, they do a bad thing. In actual fact, all cops are bastards.
Their primary function in society is to defend the property rights of the
capitalist class against the working class, thus preserving inequality.

~~~
unimpressive
Ignoring for a moment the validity of this statement, can I ask why you visit
a site that is primarily about business news/Silicon Valley Hacker errata if
you're not a fan of the 'bourgeois'?

~~~
duairc
Because it's Hacker News, not Bourgeois News. And I know this site is tied to
an ideology that reimagines the "DIY" (for want of a better term) aspect of
the hacker tradition as a kind of pro-capitalist (or at least "DIY
capitalist") thing, but I don't think most hackers are capitalists, even on
this site. For me, anti-authoritarianism has always been a central tenet of
the hacker tradition, which for me goes hand-in-hand with anti-capitalism. I
acknowledge that most hackers are not explicitly/consciously anti-capitalist.

------
mtgx
Assuming the NSA is tapping ISP cables, and siphoning all unencrypted data of
the web, and that they need to ask the big companies in the slides for the
encrypted data, would EFF's "HTTPS Everywhere" help with all the websites that
are not encrypted, like say Reddit?

~~~
tlrobinson
As another commenter mentiioned, that tool just automatically switches to
HTTPS sites if available (on the same domain name)

FYI: there's [https://pay.reddit.com/](https://pay.reddit.com/) but it doesn't
work with HTTP Everywhere because its on a different domain.

~~~
jafaku
And sometimes users post links to reddit itself, and it won't be https.

------
D9u
With most ISP already using DPI it's anyone's guess how much the spies can
see.

[http://www.bivio.net/products/dpi/](http://www.bivio.net/products/dpi/)

[http://arstechnica.com/tech-policy/2010/06/deep-packet-
inspe...](http://arstechnica.com/tech-policy/2010/06/deep-packet-inspection-
soon-to-be-15-billion-business/)

[http://www.george-orwell.org/1984](http://www.george-orwell.org/1984)

------
jacob019
Love the evil faces in the infographic with the twisted eyes. Notice how the
sysadmin is not evil.

~~~
MarciaPetros
That's hilarious. I guess the EFF knows that most of it's supporters are
sysadmins, ironically the one class of people with the most direct and
unfettered ability to violate privacy--and a track record of having done so.

------
runn1ng
I have problems even logging in on ycombinator with tor. Not to mention any
site with anti-spam protection.

~~~
noerps
Since nearly every Tor-exit has working reverse-lookup or by using
[https://check.torproject.org/](https://check.torproject.org/) it is easy to
deny access to Tor-users while authenticating.

It makes imho no sense to authenticate using Tor.

------
josscrowcroft
Where does running traffic via a VPN [0] come into this?

Does that count as HTTPS, or are they referring to 'SITE.COM' having an HTTPS
certificate?

Is it possible to use Tor and a VPN together?

[0] e.g. I use [https://ipredator.se](https://ipredator.se)

~~~
noerps
If you use a VPN to connect to Tor, you can hide the fact (from your local
isp) that you use tor.

If you use Tor to connect to your VPN-provider, you can hide your location
from your VPN-provider.

Since your VPN-provider may have payment information from your creditcard it
makes no sense to use a VPN and Tor together, its just a cascade.

------
Ihmahr
How secure is ssl? Can't NSA fake a certificate?

~~~
mbel
Do they really need to fake it? It surely might be a part of the famous
indirectly accessed data.

~~~
Phlarp
This has been my question in this whole mess, if we assume NSA can and does
subpoena the keys and certs as opposed to the direct data (and the NSA were
copying data en masse, which now seems likely) would that not make HTTPS
essentially useless?

~~~
claudius
The NSA is not the average guy listening in on your wifi and then using your
CC to buy stuff online. HTTPS protects against those, and it does so
relatively efficiently.

~~~
Phlarp
Sorry, I should have clarified that it negates HTTPS in the context of the NSA
(and presumably other government actors around the world), still great
protection from getting your facebook session hijacked over wifi.

What about protection from the average NSA sysadmin or analyst with slightly
less moral fiber than Edward Snowden? (or gambling debt, or a mental disease,
or an obsession with your significant other etc.)

------
esalman
When using Tor+HTTPS, the first NSA eavesdropper can see location. How serious
is that?

~~~
icebraining
By location they mean your IP (from which they can get your address, by asking
the ISP). As long as they can't links the two captured packets, they just know
that you're using Tor.

~~~
vidyesh
Well your IP determines your location. That other evasdropper is from your
ISP, since you first connect to your ISP and then Tor. Your ISP potentially
knows your location which is what the NSA evasdropper gets.

And since its shared with amongst both the evasdropper, potentially NSA knows
your location even if you use Tor. They should have indicated that too I
guess.

~~~
icebraining
Sharing the data is not enough, they have to link it to be useful. They
probably can, though.

------
theboywho
How about using Tor > VPN (Note: Not VPN > Tor) ?

~~~
noerps
It could circumvent VPN censorship/supression or DPI since VPN is not a secure
end to end communication.

That way you would obfuscate your endpoint against your vpn endpoint/provider.

It would add no further benefit to location obfuscation with Tor, since your
VPN-provider will always snitch on you when opposed with lethal force.

~~~
theboywho
They can know your location, but at least no one will know what you're doing.

~~~
noerps
Your VPN will become your new endpoint, it is a tor-vpn cascade.

------
dgallagher
What would be the highest level of anonymity one could achieve on the modern
internet? How could you accomplish it?

~~~
noerps
There is no level on anonymity, either you are, or you are not.

Addendum for achievement: Connect to Tor from a public accessible network/wifi
that is free from surveillance using a pristine installation and never use
that network-device again.

Addendum 2: If you use the network device twice, you may achieve only
pseudonymity.

~~~
nbouscal
Valid point that anonymity is a binary property, but, if you wanted to talk
about levels you could perhaps measure the level of difficulty of finding your
identity, or the likelihood of accurately doing so.

~~~
noerps
The tradeoff is the same as keysize in crypto. It is time.

If you choose to communicate a second time from the same endpoint with the
same equipment you may achieve only pseudonymity.

Since Tor doesn't limit the encapsulated protocols, it depends on the
implementation and awareness of the user and you can't put a number or
percentage on that.

Imho the Tor-role has changed, it provides access against censorship, DPI,
region-partioning and hidden services. Simply try to access youtube or any
other global service via different tor exits, that may be intresting, not from
an anonymity point of view.

~~~
rane
Out of curiosity, why does the equipment matter?

~~~
noerps
There may be information leaking (as in fingerprinting) from your device (that
you are not aware of) that would allow very easy correlation, like in a mac
address or existing session cookie, similar address in a public open network
or whatever you can imagine to compromise your anonymity, that gives an
adversary any advance to successfully correlate your current session with one
of your previous sessions.

At this event your anonymity becomes a pseudonym.

The next step would be to try to reproduce or predict behavior and setup a
trigger for that information.

If the loss (compromise) of anonymity or pseudonymity may lead to
imprisonment, torture, assassination or death this maybe an issue to consider.

If you try to obfuscate your access to porn, it is a completly different
story.

