[Cryptography] escalating threats to privacy

Florian Weimer fw at deneb.enyo.de
Thu Mar 30 17:38:46 EDT 2017


* John Denker via cryptography:

> I'm wondering what the remedies might be:
>  -- Negotiate with the ISP to pretty please not do that?

You need to negotiate with everyone along the path.  The Internet was
designed with the goal that you don't have to do that, and that's a
major source of its efficiency.

It's also not just traditional ISPs (the companies that push packets
through their networks).  Exchange point operators also share traffic
(samples) for research purposes.  So do other critical Internet
infrastructure operators.

>  -- Everybody use Tor for everything -- despite the inefficiencies?

I expect that many Tor exit nodes have pervasive logging.  This might
even be justifiable because the exit node operator could claim the
traffic they see has been anonymized by the Tor network.  Except that
I don't think Tor anonymization is all that strong, and the Tor
infrastructure (both the network and the endpoint software) can only
do limited things to avoid clear-text information leaks.

And it's obviously game over once the exit node operator has access to
an interception certificate.

>  -- Is there anything we can do to make Tor more efficient?

Anonymous real-time/interactive traffic is probably never going to
happen because there are trade-offs (real-time responses are difficult
to anonymize properly).

The other problem is that on the current web, sites actively collude
to break anonymity for various commercial purposes, and more and more
web sites require some form of authentication.  That happens on the
server side, and technology like Tor isn't going to change that.  The
New York Times will still know which articles you read.

I think the ISPs just want a pie of that already existing market for
user data.  The next step will be that they start rolling out
interception certificates, to improve web site response times due to
better caching, and general browsing experience through well-targeted
advertising.


More information about the cryptography mailing list