On Fri, 28 Oct 2011 07:36:32 MDT, Leon Kaiser said: > Bravo! A completely impartial source. Did you actually *read* the posting? There's certainlly someting fishy about the French results - they found 6,000 relays and 181 bridges, when the actual number is closer to 2,500 relays and 600 bridges. (Given that the current list of relays is public info, the blog posting *is* right - any claim the French had a complete *and accurate* idea of the topology is suspect, and being that wrong about the numbers is just sad). I'll note that Phobos was apparently as surprised by the "1/3 of relays are vulnerable" claim as I was.... Also, note that the Tor people have a history of being *very* up front about security problems - if you read the *very next* posting on that blog: https://blog.torproject.org/blog/tor-02234-released-security-patches Somebody else *did* find a hole (believed to be different than whatever the French guys are claiming) - and they came out and admitted there was a hole and released a patch. Oh, and they even point at several other known issues that somebody ambitious could do some research on. ;) And if I'm reading the French paper right, it basically boils down to "If you pwn a significant fraction of the relays, you can compromise the network", which was a long-known result - the security of Tor is based on the assumption that you can't pwn 40% or 50% of 2,500 nodes in multiple organizations without *anybody* noticing the attacks and raising the alarm. OK. Maybe they *are* less than completely impartial. But who you gonna believe, the guys who wrote it and tell you what the already-known weaknesses are, or some researchers who can't even get the count of relays anywhere *close* when there's a totally public list of relays available? ;)
Attachment:
pgpCRTQesL5GV.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/