Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Promotes Freenet-like System Tor

Posted by timothy on from the god-of-tunder dept.

An anonymous reader writes "The Electronic Frontier Foundation (EFF) just announced that it has become a financial sponsor of Tor, an open-source project to help people 'engage in anonymous communication online.' It sounds like a simpler version of Freenet, e.g. 'a network-within-a-network that protects communication from ... traffic analysis.' Like Freenet, the source-code is freely available and binaries exist for Windows, Linux, etc." Read on for more details.

The submitter continues "It also allows you to install Tor-aware apps, such as an HTTP proxy (for private browsing), or maybe private P2P? Unlike Freenet, it doesn't use massive encryption (as far as I can tell) and relies more on something called onion routing to randomly bounce requests between other Tor proxies, thus obfuscating the IP of the original client. So it allows you to browse regular Internet sites! Maybe it should be considered more of an 'open-source' Anonymizer? But I don't know if it's actually Open Source - you can download the source (and compile it yourself) but I don't know if the developers are letting anyone else touch their code. They are, however, looking for contributors and other forms of help. And, finally, they're hoping people will start running Tor servers!" It's open source, however contributions are handled.

15 of 379 comments (clear)

  1. EFF makes me happy. by The+I+Shing · · Score: 5, Interesting

    The EFF is a light in a dark wilderness. How amazing that a group of people so talented, experienced, and dedicated to digital liberty can come together and accomplish so much. Episode #74 of This American Life features EFF co-founder John Perry Barlow's touching account of a romance that blossomed between him and a wonderful woman he met at a convention. (Computer geeks take heed... play this story for a girl you fancy and see if it softens her heart.)

    --
    You are in error. No-one is screaming. Thank you for your cooperation.
  2. This actually works.... by Ajmuller · · Score: 5, Interesting

    Unlike freenet, which I have tried to use for years and never got it to work properly, this actually works. Five minutes after I installed TOR i'm actually surfing the internet, anonymously, at decent speeds. Unlike freenet, i'm not stuck in a chatroom while someone tells me... Just wait 4-5 days for your node to associate with the network....
    TOR is great, go EFF, making me proud to be a member!!!!

  3. Spammers by bm17 · · Score: 5, Interesting

    Two questions come immediately to mind:

    1) Can spam be sent through Tor?

    2) Can spammers collect data by running a Tor server of their own?

    I checked the site's FAQ but couldn't find answers there.

    1. Re:Spammers by miope · · Score: 5, Informative

      Look the documentation

      2. Decide what exit policy you want. By default your server allows access to many popular services, but we restrict some (such as port 25) due to abuse potential. You might want an exit policy that is either less restrictive or more restrictive; edit your torrc appropriately. If you choose a particularly open exit policy, you might want to make sure your upstream or ISP is ok with that choice.
      the faq responds your second question
      6.1. Can exit nodes eavesdrop on communications? Isn't that bad? Yes, the guy running the exit node can read the bytes that come out there. Our first answer is "then use end-to-end encryption such as SSL", which is great but not always practical. (The corollary to this answer is that if you are worried about somebody intercepting your traffic and you're *not* using end-to-end encryption at the application layer, then something has already gone wrong and you shouldn't be thinking that Tor is the problem.) Our second answer is that in a future release, we plan to have Tor clients recognize when the destination is co-located with a Tor server, and exit from that Tor server. So for example, people using Tor to get to the EFF website would automatically exit from the EFF Tor server (assuming it's nearby in network geography), thus getting *better* encryption and authentication properties than just browsing there the normal way. But this has a variety of technical problems we need to overcome first (the main one being "how does the Tor client learn which servers are associated with which websites in a decentralized yet non-gamable way?"). Stay tuned.
  4. Anonymity is a good thing? by Anonymous Coward · · Score: 5, Funny
    Are you sure all this anonymity is a good thing with all the terrorism and unpatriotic sentiment floating around?

    Besides, getting rid of anonymity would help with the spam crap.

    In fact, I don't see anything positive in anonymity.

  5. Re:If they really want by Anonymous Coward · · Score: 5, Informative

    It's more than that; the entry nodes don't have to
    be trusted. Your communications with them are
    encrypted and they know only the next hop in the
    circuit -- they do not know the exit node and they
    do not know the content of your communication.

  6. Whups, so much for that idea. by Tackhead · · Score: 5, Informative
    From the design documents:

    Based in part on our restrictive default exit policy (we reject SMTP requests) and our low profile, we have had no abuse issues since the network was deployed in October 2003. Our slow growth rate gives us time to add features, resolve bugs, and get a feel for what users actually want from an anonymity system. Even though having more users would bolster our anonymity sets, we are not eager to attract the Kazaa or warez communities-we feel that we must build a reputation for privacy, human rights, research, and other socially laudable activities.

    Well, so much for that. *badaboom*

  7. Re:Solutions are simple. by pclminion · · Score: 5, Informative
    IANAL either. This doesn't work.

    The DMCA prohibits circumventing a protection on a copyrighted work. Encryption only qualifies as a "protection device" if the person doing the encryption is the holder of the copyright. You can't "protect" what you do not own.

    I don't know if the DMCA contains precisely this language, but it's certainly the way it would be interpretted in court.

    I'm more interested in the case of using encryption to protect a computer virus. Since the author of the virus actually is the owner of the copyright on the viral code, then the encryption should qualify as a copyright protection device under the DMCA. Law enforcement officials who decrypt the virus to reverse engineer it would be in violation of the DMCA.

  8. Onion Routing != FreeNet by pridkett · · Score: 5, Interesting

    Just a quick FYI, TOR is an onion routing system, meaning that the data is passed between TOR proxies until it reaches it's destination. This means that eventually you still need to fetch the data from a server, which means that the server can still be put under attack or taken down.

    FreeNet is much more robust as you inject content and then it is stored in many nodes. Thus, it can't be taken down. Furthemore, in FreeNet different parts of the data are obtained from different sources, preventing more work that could be done with traffic analysis.

    To say that TOR is like FreeNet is to seriously discount the features of FreeNet. TOR is a system for running Onion proxies. FreeNet is a completely anonymized hosting and content distribution system.

    --
    My Slashdot account is old enough to drink...
  9. Re:If they really want by weaselp · · Score: 5, Informative

    The first node knows your IP and the second node, but not the plain text. The last node knows the second-to-last node,the service you are connecting to, and the plain text unless you do some encryption on the application layer (like https).

    It's not entirely unlike Mixmaster, only low latency.

    --
    Weasel
  10. Right... by Kjella · · Score: 5, Insightful

    Let me get this straight. As a TOR node, my computer will request information from regular web sites unencrypted. This means that when someone requests e.g. child porn on the network, and my node is chosen to retrieve it, my IP will be the one logged?

    You are in for a world of hurt if you run a TOR node. Since you are perfectly aware of all plain HTTP requests your node makes, you are likely to stand trial for contributory copyright infringement, import/export/distribution of child porn, conspiracy to [whatever] and so on. Since I assume by default it doesn't log anything to give you someone to blame it on, they pin it on you.

    I would honestly never run a TOR node. If I did, I would firewall it to only allow connections to other TOR nodes, i.e. be a pure leech on the network. Anything else is to expose yourself for a wide range of legal disasters. Freenet had this right. You must not know what you are transmitting. This idea is fundamentally flawed and I'm amazed that the EFF would support it.

    And beyond that, from the brief techincal discussion, you have a single point of failure in the directory server. Gather a small botnet, compromise the server and present the botnet as the routing nodes. You control all the keys, you decrypt everything. Or just a simple DDoS attack, so you don't find any nodes to route through. Overall, I'm not impressed.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  11. Misconceptions about Tor (from Chris @ EFF) by innerFire · · Score: 5, Informative

    Hi there! I'm Chris Palmer from EFF. I am working with the Tor developers, so I know a bit about it. I'll try to clear up some questions and misconceptions people seem to have.

    1. Spam? Well, spammers already have much better tools than Tor. Namely, botnets. The Tor network currently doesn't support the kind of bandwidth usage spammers can chew up. By their willingness to break the law, spammers and criminals already have good tools to hide their network origin. Tor doesn't really help them. Plus, the default Tor exit policy is to block port 25.

    2. Free/open source? Yes, three-clause BSD. EFF would not financially support a non-free/open source project!

    3. Do you have to trust the nodes? You have to trust the entry node and the exit node. The entry node can be on your own computer, which I highly advise people to do. It's easy to install on all platforms, so that shouldn't be a hurdle. As far as trusting the exit node: Yes, the exit node can see the plaintext of your communications. That is why you should always use end-to-end encryption, anyway! Remember, all normal Internet routers in your route can read your traffic; Tor is actually BETTER because traffic is strongly encrypted (AES, multiple times) while inside the Tor network.

    So, you actually have to trust Tor a bit less than regular Internet routes.

    Use encryption. :)

    4. Is it like Freenet/Crowds/Anonymizer? Yes, and no. It is like somewhat like those systems in goals, but the design is different. For example, unlike Freenet, Tor helps you talk to the real Internet. Unlike Anonymizer, Tor uses a whole network of proxies, not a single proxy; and the proxies are generic SOCKS proxies, not specifically HTTP.

    5. Version number is too low. Is this alpha software? Roger and Nick are very modest. :) Tor works. It is stable, many bugs have been fixed, and the protocol is moderately stable. Tor does not crash randomly or eat all your memory. What's in flux is bigger picture items, such as "How can we reduce our dependency on the central directory server" and "Wouldn't a GUI configuration tool be nifty?"

    6. Is there a backdoor? Well, you tell me. The source code is open. Is there a backdoor in other free software you like?

    7. Minimum bandwidth requirement? For exit and middleman nodes, yes, you should have a reasonable pipe and a stable machine. "Reasonable" pipe can mean a good DSL connection. Crappy nodes can degrade the network for those poor saps whose circuit goes through one. That is why the directory server operators won't list your server unless it meets basic stability and bandwidth requirements.

  12. Spies need anonymity too... by Jim+McCoy · · Score: 5, Interesting

    As someone who has watched, helped with, and discussed various anonymous networks from Pipenet through Onion routing and Tor I can give you the quick summary for why NRL was interested in anonymous browsing (because when they first came out with the Onion network stuff it really was a surprise.)

    Sometimes, government agencies would prefer it if web queries did not show up in the server's logs as coming from a .mil or .gov site.

    Just knowing what someone is reading or researching is a good source of intel, some government agencies see more benefit to this than the downside of potential terrorist uses.*

    Jim

    * anyway, if you work for a big governement agency you have the resources to treat these sorts of networks like a big black box and link up the endpoints. This is a fatal flaw to _all_ real-time anonymous networks. A big attacker can treat all of the fancy games you play in the middle of network as noise and just link up "message X went into dark network at time T and a message close to the size of message X came out of the network at time T +1, followed by a similarly linkable message going back the other way..."

  13. Re:the problem with Freenet by RyanFenton · · Score: 5, Insightful

    It's a method for the transportation of data - it in no way encourages any specific type of traffic. I could mention several straw-men arguments about telephones and vehicles that also could be used for horrible child crimes...

    Relative anonymity isn't inherently destructive - nor is the anonymity offered here absolute. Conventional methods of online social investigation will still catch the people you imagine, as there is still a source and destination. With child crimes in particular, the investigation should move offline as soon as possible anyway as soon as suspicions arise.

    People who attack and cruelly manipulate children deserve punishment - the rest of the world does not need to close entire realms of technology down for the sake of that punishment. The nerds of the world shouldn't be forced to think about punishing criminals when they make their tools any more than car manufacturers.

    Ryan Fenton

  14. Re:the problem with Freenet by soupdevil · · Score: 5, Insightful

    By this argument, you could never own an apartment, rental house or hotel, because child abuse could be committed on your property.