Yuri
2017-Dec-10 19:23 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/10/17 10:15, Igor Mozolevsky wrote:> They are not "hypothetical characters," they are invented characters that > are used in a threat model. But that's reframing the problem- a > hypothetical threat model is very different to a real threat model.This is a very real threat model. There are a lot of malicious Tor exit node operators, and a lot of FreeBSD users update their system over subversion. The only thing that the Tor node operator needs to do is to detect relevant requests and serve malware. How is this not real? Yuri
Igor Mozolevsky
2017-Dec-10 19:24 UTC
http subversion URLs should be discontinued in favor of https URLs
On 10 December 2017 at 19:23, Yuri <yuri at rawbw.com> wrote:> On 12/10/17 10:15, Igor Mozolevsky wrote: > >> They are not "hypothetical characters," they are invented characters that >> are used in a threat model. But that's reframing the problem- a >> hypothetical threat model is very different to a real threat model. >> > > > This is a very real threat model. There are a lot of malicious Tor exit > node operators, and a lot of FreeBSD users update their system over > subversion. The only thing that the Tor node operator needs to do is to > detect relevant requests and serve malware. > > How is this not real?It seems the problem is *not* FreeBSD but Tor in your case! -- Igor M.
Eugene Grosbein
2017-Dec-10 19:37 UTC
http subversion URLs should be discontinued in favor of https URLs
11.12.2017 2:23, Yuri wrote:> On 12/10/17 10:15, Igor Mozolevsky wrote: >> They are not "hypothetical characters," they are invented characters that >> are used in a threat model. But that's reframing the problem- a >> hypothetical threat model is very different to a real threat model. > > > This is a very real threat model. There are a lot of malicious Tor exit node operators, > and a lot of FreeBSD users update their system over subversion. The > only thing that the Tor node operator needs to do is to detect relevant requests and serve malware.Hmm, you should not pass your traffic through the network operated by lots of malicious operators in first place. No matter encrypted or not. There are plenty of alternative ways.
Michelle Sullivan
2017-Dec-10 22:41 UTC
http subversion URLs should be discontinued in favor of https URLs
Yuri wrote:> On 12/10/17 10:15, Igor Mozolevsky wrote: >> They are not "hypothetical characters," they are invented characters >> that >> are used in a threat model. But that's reframing the problem- a >> hypothetical threat model is very different to a real threat model. > > > This is a very real threat model. There are a lot of malicious Tor > exit node operators, and a lot of FreeBSD users update their system > over subversion. The only thing that the Tor node operator needs to do > is to detect relevant requests and serve malware. > > How is this not real?Sounds to me the proper solution is stop using Tor. If you can't trust the network (wire) no matter what you do you can't guarantee safety. Seriously if there are "a lot of malicious Tor exit node operators" the simple answer is stop using Tor. Michelle