Date: Mon, 11 Dec 2017 18:20:31 +0000 From: Matthew Finkel <matthew.finkel@gmail.com> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: Yuri <yuri@rawbw.com>, freebsd security <freebsd-security@freebsd.org>, RW <rwmaillists@googlemail.com>, Igor Mozolevsky <mozolevsky@gmail.com> Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171211182031.jhgansyyw7xrk4il@localhost> In-Reply-To: <24467.1512935834@critter.freebsd.dk> References: <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg%2B7vSh=iuJ=JU09Q@mail.gmail.com> <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com> <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <CADWvR2gkFGY8CH5L7N67z8mfOux=Vjv8eobpK=pOpCKW3ysAkA@mail.gmail.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <CADWvR2hR2-DPayNVOUvTxMQ=tj7YpotVzKFHGQFPoC5ZGDvnNA@mail.gmail.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <24467.1512935834@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 10, 2017 at 07:57:14PM +0000, Poul-Henning Kamp wrote: > -------- > In message <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com>, Yuri writes: > > >3. The user updated the sources through Tor and got hacked. > > > >Where did this user go wrong, or where has he been irresponsible? > > He trusted Tor? > > In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed > that a LOT of the Tor network is on a longitude compatible with a > "Bandit of The Beltway" location. Are you really referencing a paper from 11 years ago specifically about a hidden service confirmation attack? This is not within Tor's threat model. Yes, it is a real attack, and yes, this could and should be prevented, but this says absolutely nothing about the security or "trustworthiness" of the Tor network or the protection it provides 99% of all users. > > If you still, elleven years later, seriously belive that Tor is > trustworthy, you shouldn't be allowed near any kind of security > decision. *head scratch* Most of the relays are in Europe now, just FYI. Tor is not perfect, but it offers by-far a better method of connecting two machines than using the Internet alone. > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171211182031.jhgansyyw7xrk4il>