Poul-Henning Kamp
2017-Dec-10 19:57 UTC
http subversion URLs should be discontinued in favor of https URLs
-------- In message <898df78d-c0b1-9e9f-0630-2665c3939960 at rawbw.com>, Yuri writes:>3. The user updated the sources through Tor and got hacked. > >Where did this user go wrong, or where has he been irresponsible?He trusted Tor? In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed that a LOT of the Tor network is on a longitude compatible with a "Bandit of The Beltway" location. If you still, elleven years later, seriously belive that Tor is trustworthy, you shouldn't be allowed near any kind of security decision. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Matthew Finkel
2017-Dec-11 18:20 UTC
http subversion URLs should be discontinued in favor of https URLs
On Sun, Dec 10, 2017 at 07:57:14PM +0000, Poul-Henning Kamp wrote:> -------- > In message <898df78d-c0b1-9e9f-0630-2665c3939960 at rawbw.com>, Yuri writes: > > >3. The user updated the sources through Tor and got hacked. > > > >Where did this user go wrong, or where has he been irresponsible? > > He trusted Tor? > > In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed > that a LOT of the Tor network is on a longitude compatible with a > "Bandit of The Beltway" location.Are you really referencing a paper from 11 years ago specifically about a hidden service confirmation attack? This is not within Tor's threat model. Yes, it is a real attack, and yes, this could and should be prevented, but this says absolutely nothing about the security or "trustworthiness" of the Tor network or the protection it provides 99% of all users.> > If you still, elleven years later, seriously belive that Tor is > trustworthy, you shouldn't be allowed near any kind of security > decision.*head scratch* Most of the relays are in Europe now, just FYI. Tor is not perfect, but it offers by-far a better method of connecting two machines than using the Internet alone.> > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk at FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"