Hacker News new | ask | show | jobs
by vog 3573 days ago
> however the more nodes that don't engage in such activities, the better for the network overall.

I'd argue that it is quite the opposite.

The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption. In particular, they will insist that more websites switch to HTTPS. Which is actually better for the network overall, and would render most of these attacks useless.

I wonder whether the Tor browser bundle should disable plain HTTP completely, only to be enabled through some obscure config setting for the seldom use cases where this is actually needed.

[1] Tor is by definition a system of man-in-the-middle through man-in-the-middle. Why would anybody want to use that without end-to-end encryption?
1 comments
nbraud 3573 days ago
> The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption.

Yes, but how does your collecting logs impact overall awareness?

Even if it did (say, you make the logs available through some snazzy web interface, it gets mass media attention), how does that balance out with the users who traffic you exposed?

link
vog 3573 days ago
I didn't mean that more exit nodes should collect and share their logs. That would indeed weaken the Tor network, by facilitating traffic correlation.

I meant inspecting/manipulating the traffic if it is unencrypted. As a political statement, this should of course never actually attack the client, but instead try to raise attention by e.g. injecting a message along the lines:

    Hi, I'm a stranger and it was trivial for me to
    inject this message. Please use HTTPS to prevent
    me from doing this.
Thinking more about that, however, this may be a bad idea. People could perceive this to be a security hole in the Tor network itself, rather than HTTP itself, which could damage the reputation of Tor.
link