HTTPS does not solve the simple fact that the three letter agency you are trying to protect from has the keys to the fortress as they (and other nation state actors) have their own CA, hence can easily create any SSL certificate, MITM it and voila, read that "protected" data.
HTTPS is *NOT* complete security and it has nothing with 'resetting the net'.
HTTPS is only one layer that typically can help. But the moment one is protecting against a nation state actor you are losing out:
- they have their own CAs which *you trust* per default of the OS/browser installation
- you do not know if there are backdoors in code anywhere (openssl has lots of nice vulnerabilities, another one coming soon to you!)
- you do not know if the adversary knows about crypto flaws that make it all useless anyway
- and assuming device security, nobody is ever able to do all of:
* understand how the crypto works and make sure it is 100% correct
AND
* verify the source-code and that it does not have backdoors/flaws
AND
* make sure that that version of the code actually runs on the device you are using
AND
* verify that nothing else on your device can actually just snoop the data there and send it out before the plaintext is crypted...
Yep. You'll notice we didn't stop working on all the other things we do at Tor. :) Https is nice and all, but you're right that there's a lot more to it than that.
But that said, these broad advocacy campaigns have a tough time picking 'real' issues that are also things ordinary people can get behind. And hey, more encryption is good.
While people align under "Reset The Net" and value privacy I just got this "search result" from Startpage.com at the right time:
Quotation:
"As you know, Tor recently included Startpage as the default search engine in the new Tor Browser Bundles. Thank you! We're honored to be associated with all of you like-minded, hard-core privacy fanatics.
Just One Small Catch...
However, the avalanche of new Tor users has created an issue with the algorithm we use to detect and reject automated screen-scraping programs. When multiple Tor users are searching through the same end node, Startpage may wrongly conclude that the searches are coming from a scraper.
The unfortunate result is that Startpage may occasionally not return results with Tor. But don't panic, we're committed to fixing it."
Startpage.com claims two million searches per day. That's roughly 25 searches a second. I don't know how many percent of these are Tor users, but a handful of servers can do this number without a problem. In terms of hardware and bandwidth this is chickenshit for a company.
So why does Startpage.com cares so much to interrupt searches with their notifications? Later on in these notifications they recommend to change the Tor identity to be able to use their search engine again.
If screen-scraping is truly the reason I don't see how changing the Tor identity would prevent screen-scraping. The scraper would use any exit node IP address currently assigned and could go on day and night with a new IP address every few minutes. Makes no sense to me.
But this reminds me of the problems Scroogle had with Google.
Scroogle was a search proxy for Google, just like Startpage.com, but without depending on pay outs from Google (https://en.wikipedia.org/wiki/Scroogle#Scroogle).
Google doesn't want too many searches coming from the same IP address because their advertisers may think they are ripped off with automated searches, searches where no humans see their paid ads.
I wonder how searches from Tor users at Startpage.com are different from other users in a way Google would care enough to complain to Startpage.com?
The only reason I can think of, as a "hard-core privacy fanatic" as Startpage.com denotes me as a Tor user, is that Startpage.com passes the IP address on to Google with each search. Maybe the IP addresses are hashed to comply with their claims.
Startpage pitches that they are a certified. If you read the certification documents there is no mention of Startpage.
The certifying company has looked at the meta search engine Ixquick which is by the same company as Startpage.
Ixquick uses different search engines than Startpage. I think the Ixquick engines are generally less demanding than the ubiquitous Google used by Startpage.
I assume you're a Windows user? The TBB is still portable -- it has an installer now because many people were confused when it didn't have an installer, but the resulting directory once you've installed it is all still self-contained and portable.
Hi. Does anybody knows when TextSecure and RedPhone apps be available in iphone?
I'll take this privilege to thank all - TOR People, Edward Snowden, Glenn Greenwald, Jacob Appelbaum, Privacy Advocates and Supporters ... ALL, who is risking their lives and worked/ is working behind to regain our privacy rights in this digital age. While we know "what" we will do, you guys are the "how". Thanks.
Let's remember that the worlds most powerful people view it their privilege and categorical imperative to exploit all communications of the entire world. Our toys are in their playground, and every single one is another target.
Comments
Please note that the comment area below has been archived.
How exactly can you support
How exactly can you support this?
HTTPS does not solve the simple fact that the three letter agency you are trying to protect from has the keys to the fortress as they (and other nation state actors) have their own CA, hence can easily create any SSL certificate, MITM it and voila, read that "protected" data.
HTTPS is *NOT* complete security and it has nothing with 'resetting the net'.
HTTPS is only one layer that typically can help. But the moment one is protecting against a nation state actor you are losing out:
- they have their own CAs which *you trust* per default of the OS/browser installation
- you do not know if there are backdoors in code anywhere (openssl has lots of nice vulnerabilities, another one coming soon to you!)
- you do not know if the adversary knows about crypto flaws that make it all useless anyway
- and assuming device security, nobody is ever able to do all of:
* understand how the crypto works and make sure it is 100% correct
AND
* verify the source-code and that it does not have backdoors/flaws
AND
* make sure that that version of the code actually runs on the device you are using
AND
* verify that nothing else on your device can actually just snoop the data there and send it out before the plaintext is crypted...
Yep. You'll notice we didn't
Yep. You'll notice we didn't stop working on all the other things we do at Tor. :) Https is nice and all, but you're right that there's a lot more to it than that.
But that said, these broad advocacy campaigns have a tough time picking 'real' issues that are also things ordinary people can get behind. And hey, more encryption is good.
RELEASE THE FUCKING FILES
RELEASE THE FUCKING FILES ALREADY! 1% OF THE SUPPOSED NSA DOCS ARE RELEASED! WHERE ARE THE REST?
THE LEAK KEEPERS ARE PROFITING OFF THIS UNBELIEVABLY. THEIR SECRECY IS JUST LIKE THE NSA THEY SUPPOSEDLY HATE.
Thanks for using
Thanks for using youtube-nocookie.
"[...]HTTPS does not solve
"[...]HTTPS does not solve the simple[...]"
For the beginning OpenSSL should be hard debugged.
It has really heavy bugs.
While people align under
While people align under "Reset The Net" and value privacy I just got this "search result" from Startpage.com at the right time:
Quotation:
"As you know, Tor recently included Startpage as the default search engine in the new Tor Browser Bundles. Thank you! We're honored to be associated with all of you like-minded, hard-core privacy fanatics.
Just One Small Catch...
However, the avalanche of new Tor users has created an issue with the algorithm we use to detect and reject automated screen-scraping programs. When multiple Tor users are searching through the same end node, Startpage may wrongly conclude that the searches are coming from a scraper.
The unfortunate result is that Startpage may occasionally not return results with Tor. But don't panic, we're committed to fixing it."
Startpage.com claims two
Startpage.com claims two million searches per day. That's roughly 25 searches a second. I don't know how many percent of these are Tor users, but a handful of servers can do this number without a problem. In terms of hardware and bandwidth this is chickenshit for a company.
So why does Startpage.com cares so much to interrupt searches with their notifications? Later on in these notifications they recommend to change the Tor identity to be able to use their search engine again.
If screen-scraping is truly the reason I don't see how changing the Tor identity would prevent screen-scraping. The scraper would use any exit node IP address currently assigned and could go on day and night with a new IP address every few minutes. Makes no sense to me.
But this reminds me of the problems Scroogle had with Google.
Scroogle was a search proxy for Google, just like Startpage.com, but without depending on pay outs from Google (https://en.wikipedia.org/wiki/Scroogle#Scroogle).
Google doesn't want too many searches coming from the same IP address because their advertisers may think they are ripped off with automated searches, searches where no humans see their paid ads.
I wonder how searches from Tor users at Startpage.com are different from other users in a way Google would care enough to complain to Startpage.com?
The only reason I can think of, as a "hard-core privacy fanatic" as Startpage.com denotes me as a Tor user, is that Startpage.com passes the IP address on to Google with each search. Maybe the IP addresses are hashed to comply with their claims.
Startpage pitches that they
Startpage pitches that they are a certified. If you read the certification documents there is no mention of Startpage.
The certifying company has looked at the meta search engine Ixquick which is by the same company as Startpage.
Ixquick uses different search engines than Startpage. I think the Ixquick engines are generally less demanding than the ubiquitous Google used by Startpage.
What happened to the
What happened to the portable tor?
I assume you're a Windows
I assume you're a Windows user? The TBB is still portable -- it has an installer now because many people were confused when it didn't have an installer, but the resulting directory once you've installed it is all still self-contained and portable.
NSA must give back the
NSA must give back the private data they have stolen.
Afterwards they shall destroy the hard drives used to store these sensitive data.
Hi. Does anybody knows when
Hi. Does anybody knows when TextSecure and RedPhone apps be available in iphone?
I'll take this privilege to thank all - TOR People, Edward Snowden, Glenn Greenwald, Jacob Appelbaum, Privacy Advocates and Supporters ... ALL, who is risking their lives and worked/ is working behind to regain our privacy rights in this digital age. While we know "what" we will do, you guys are the "how". Thanks.
Let's remember that the
Let's remember that the worlds most powerful people view it their privilege and categorical imperative to exploit all communications of the entire world. Our toys are in their playground, and every single one is another target.
How can I install tor on my
How can I install tor on my iPad mini
I'm afraid there aren't any
I'm afraid there aren't any good ios answers currently.
https://www.torproject.org/docs/faq#Mobile