Group Thinks Anonymity Should Be Baked Into the Internet Itself Using Tor

Hugh Pickens DOT Com writes "David Talbot writes at MIT Technology review that engineers on the Internet Engineering Task Force (IETF), an informal organization of engineers that changes Internet code and operates by rough consensus, have asked the architects of Tor to consider turning the technology into an Internet standard. If widely adopted, such a standard would make it easy to include the technology in consumer and business products ranging from routers to apps and would allow far more people to browse the Web without being identified by anyone who might be spying on Internet traffic. The IETF is already working to make encryption standard in all web traffic. Stephen Farrell believes that forging Tor into a standard that interoperates with other parts of the Internet could be better than leaving Tor as a separate tool that requires people to take special action to implement. 'I think there are benefits that might flow in both directions,' says Farrell. 'I think other IETF participants could learn useful things about protocol design from the Tor people, who've faced interesting challenges that aren't often seen in practice. And the Tor people might well get interest and involvement from IETF folks who've got a lot of experience with large-scale systems.' Andrew Lewman, executive director of Tor, says the group is considering it. 'We're basically at the stage of 'Do we even want to go on a date together?' It's not clear we are going to do it, but it's worth exploring to see what is involved. It adds legitimacy, it adds validation of all the research we've done.'"

Re:Isn't Tor compromised?

[Captain+Hook]

Tor's weakness is when one organisation, such as the NSA, controls a large percentage of the exit nodes.

The larger percentage of the exit nodes a single organisation controls the better chance they have to seeing all the packets from any given user.

Becoming an Internet standard would dramatically increase the number of exit nodes making it harder for a single entity to control a decent proportion of them, although the basic attack would still work with enough resources.

Re:Isn't Tor compromised?

[Splab]

You really should read up on technologies before making statements like that.

The Pedo busts were not attacking exit nodes, it was an attack on the hidden services within the network, there is no mim attack on hidden services, as no one knows who is talking to who. What the FBI did was compromising the servers hosting the material, serving malware that send a single request out outside the TOR network.

Regarding 2; this only works if your software is perfect, which it won't be. The Pedo bust was abusing a known bug in Firefox 17, which had been fixed for quite a long time, it only takes a single bug in the stack to inject some data, that can be collected at some point later - Even if you only allow data through TOR and using SSL, there is nothing preventing FBI sending enough data about your local network, to help identifying you. (For instance, a quick wifi-scan gives you enough information to place my system somewhere in Denmark, using WIFI databases, like the stuff google collected with street view, you can probably pinpoint it even further)

While forcing SSL is a nice idea, generally, it wont work; as you said, people are doing mixed content - on top of that, it only takes a single compromised request to a CDN like jQuery, to have your system thoroughly compromised, see http://www.youtube.com/watch?v=ZCNZJ_7f0Hk (While they are compromising anonymous proxies, the attack will work just as well on TOR)

Re:interesting

[Jane+Q.+Public]

"Or let me ask differently: How would you fix it? A web of trusted exit nodes run by the government of choice? :P"

No. Everybody here is missing the point.

If/when exit nodes are everywhere, hosted by everybody, two things happen:

(A) It becomes impractical to the point of impossibility to monitor all the exit nodes, and at the same time

(B) the VALUE of monitoring any given exit node is diluted far past the point of making it worth anybody's time.