Using Tor, end users can easily and unintentionally compromise their confidentiality by disclosing information explicitly (e.g., their email logon) or implicitly (habits, browser fingerprints, and other identifiers); it takes discipline to remain anonymous on Tor and even technically skilled hidden service operators, with reason to be paranoid about illegal businesses, fail to do it. Also, leaked documents say that use of security services, including VPNs and I think Tor also, causes the data to be retained by the NSA for future decryption.
How can Mozilla and their partners provide confidentiality in a way that increases end-user security, rather than attracting further scrutiny or, far worse, providing dangerously false assurances? The answer cannot depend on end users understanding the technology or subtle tradeoffs; the vast majority will never understand.
One thought: Route all Firefox users through Tor relays by default, creating some security-through-obscurity. There are problems with that, of course, including the blacklisting of Tor relays from many sites.
Here's what could help - turning all users into (exit) relays. That strategy has worked for torrents very well - all downloaders are also seeders (I think it's a similar situation).
This solves multiple things:
1) makes it much harder to do traffic analysis
2) makes it almost impossible to "go after relays". Sure, they'll still try to arrest some here and there, just like they try to arrest people who torrent movies, and even with the mass copyright laws they couldn't stop piracy. There were just many more who did it, making the hunted down but a tiny percentage.
3) should make the legal defense case even stronger than it is now for relays. You can say today that "you don't know what's happening through your relay", however you still have to choose to become a relay. I think that says something. It may not be a huge case in the prosecutor's favor, but it may convince the judge to be against you in some cases. But if everyone is a relay and you can use the defense that "this is just how Tor/Firefox works", I think that would work a little better
4) should improve speed since relays can't be choked anymore
5) I'm not sure about this one, but I think it should make it much harder to DDoS Tor users/hidden services as well?
I think having the way Tor works currently is a design flaw in Tor. Tor should be "fully distributed" in a way.
As for the argument "but then no one will use Tor if they are forced to be relays!" - I just don't buy it. I think there may be some that will get scared in the short term, but then see Tor actually gets more secure this way in the long term, and will return. I also believe Tor will get more new users in the long term this way.
EDIT: What I'm referring to is turning everyone into exit relays/nodes. My arguments remain the same. If it's not illegal for people to have an exit node in US (as Tor claims [1]), then it shouldn't be illegal for millions to do it either. In fact it could be a sort of stronger civil disobedience thing.
Plus, even if it is illegal, so is piracy. That hasn't stopped millions from doing it. Just like "being gay", what's legal and what's illegal is a matter of how we shape our laws. To change those laws, first you need someone to break them and change the society in a different direction. If you didn't have anyone to break a law in a certain direction, then laws would never need to be changed.
The problem is that you do not make the distinction between a regular relay and an exit node. There are enough regular relays in the tor network, but people hesitate running exit nodes because of the legal liabilities: many ISPs do not want you to run a tor exit node, because of the nature of some traffic coming through the tor network (illegal marketplaces, child porn, etc -- as you can read in the article, even Mozilla doesn't want to host exit relays).
If you make this the default, you're opening a can of worms legal-wise. If you make only non-exit relays the default, your whole plan defeats its purpose, because then exit nodes remain the weakest link (as they are now).
I agree that it's too crazy for Mozilla to seriously consider it.
But, assuming Tor did receive widespread adoption of exit nodes at this scale, the internet would have to adapt to accommodate this many people rerouting other people's traffic. ISPs would encounter the same backlash for throttling or blocking users who run exit nodes as they currently face when doing it to users running Netflix.
Unfortunately, it takes mass adoption to force this kind of adaptation, and it's generally an easier fight to maintain venues of freedom than to open new ones. So we have a chicken and egg problem essentially; Mass adoption is necessary to force regulatory and infrastructural accommodation, and that accommodation is necessary to foster mass adoption.
"The law just has to change to adapt to our new technical ways" ist a common fallacy with techies. And has been working /splendidly/ for decades now.
More importantly, letting every of your users out in the rain with his legal problems until you have finally been successful in changing the law is not a recommended way to treat your users.
FWIW, I _intentionally_ de-anonymize myself over TOR as often as I remember to. I make a point of browsing things like local council and government websites using TOR, including logging in or providing details in contact forms, while doing mundane and ordinary stuff like booking extra garbage collections.
I'm not bigiain, but an obvious motivation would be that the more people use Tor for obviously mundane reasons, the more plausible deniability exists for all Tor users. After all, the fact that you're using Tor cannot be hidden, and you don't want people to fall under suspicion merely for being Tor users. In other words, there is probably no direct benefit to bigiain for doing this, but she/he is doing everybody a service.
Exactly this. Since Facebook has a .onion, I sometimes use instead of the .com, and even if I don't use my real name on Facebook, I'm not at all anonymous there.
I also have my personal web page accessible as a Tor Hidden Service [1] and as an EepSite [2], even if a personal web page is the least anonymous thing you can think of.
Hmmm. Wouldn't trying to remain anonymous be better? I mean, if most of the people on Tor are not anonymous (because they "disclose" themselves voluntarily), the rest of them might be in the spotlight...
The important part is that the anonymity set - the amount of traffic among which those with a need for anonymity can hide - becomes larger no matter what the people without a need for anonymity do.
Consider the extreme case where Tor is only used by dissidents in a single country X. As soon as country X's secret police observes your home internet connection connect to Tor relays, they know that you are a dissident.
Now consider the case where only 1% of the traffic on Tor is by dissidents in country X. When your home internet connection is observed to carry Tor traffic, it is impossible to tell whether you're among the 1% of dissidents or the 99% of non-dissidents. So they have some reason to suspect you, but it's already a clear win, because rounding up and terrorizing 100x as many people takes more effort and is more likely to result in pushback.
The only place in the Tor network where the "trying to remain anonymous" makes a difference is when the secret police collects exit relay traffic. However, if all they see is that 1% of exit traffic is TLS sessions to dissidents.xx and the other 99% is unencrypted sessions to facebook.com (hypothetically), that still doesn't help them figure out which Tor clients are sending those 1% of traffic that they want to chase down.
Of course, all of the above is subject to the inherent limitations of Tor (e.g., somebody who is able to observe all relays can do statistical timing-based attacks to correlate relay input-streams with relay output-streams; they can then trace back the Tor circuits and figure out which user is responsible for which exit traffic; somebody who is able to observe a fraction of relays will be able to do such correlation attacks with a certain probability of success; the secret police might observe dissidents.xx as well as the home connections of everybody using Tor, and might be able to sieve out the 1% of dissidents using timing correlation, etc. [0]). The point is that the nature of the 99% of non-targeted traffic doesn't matter; the important thing is that it's there, and the more, the better.
[0] This seems to suggest that if you want to hide some of your traffic via Tor, it actually makes sense to tunnel everything via Tor. However, this also has problems: for example, if you use the same browser to access both facebook.com and dissidents.xx, browser fingerprinting might kill you. I don't actually know what the best practices recommendation is. Given an adversary with sufficiently tight control over the communications infrastructure, you're basically screwed.
The Tor Browser Bundle already comes with a bunch of hacks to make users more difficult to track. I suppose they could improve on that until you're no longer identifiable on something like EFF's Panopticlick [1] or Samy Kamkar's Evercookie [2].
For example, isolate each tab, nuke all tracking cookies by default, clear all local storage at a regular interval, access different sites using different circuits, and only allow JS to access a minimum of information about the system. Even better, expose fake, generic, but slightly varying lists of system fonts, plugins, and other information. (Fake information is better than disallowing access altogether, because the latter looks too suspicious.)
Of course, none of this will keep you anonymous if you log into Facebook using Tor... but at least the browser could make it extremely difficult for anyone to find out that the person who is visiting unrelated-website.com is the same person who just logged into Facebook. Automatically switching circuits when you visit a new site would probably do wonders in this regard, though I'm not sure how well Tor can handle that.
I'd also like to see Firefox support .bit domains or similar in the future. I don't blame them for not doing it right now, though. Namecoin and such are still very experimental technologies, but maybe in a few years.
It is a tricky issue, but I can see a good argument for increasing the amount of traffic going through TOR, even if much of it was from users without proper OPSEC.
As with all security, it is an education issue; just as "Private Mode" warns users that they might be tracked by ISPs or other agents, "Super-private mode" would have to warn users that supplying identifying information would jeopardize their privacy.
> it is an education issue; just as "Private Mode" warns users that they might be tracked by ISPs or other agents
I wonder what percentage of users understand that. How many read the fine print, grasp its meaning, and act on it?
It would be interesting if Mozilla has studied this security training in particular or if someone has studied security training in general. That is, test how many users read the information, retain it, understand it, and act on it? What works and what doesn't?
If we compare with the current private window that users are already using in Firefox, the steps to more security is likely to start with technical transparent solutions rather than large changes to user behavior.
The question I ask: Is tor browser better than the current private window? I think it is easier for a user to disclose private information by using private window, than using a tor browser. I would also claim that traffic generated by a private window is stored and analyzed in a much greater extent than traffic sent through tor or VPNs.
We already got the problem of false assurances thanks to private window. I have a hard time seeing how it can get worse by incorporating privacy tools.
>One thought: Route all Firefox users through Tor relays by default, creating some security-through-obscurity. There are problems with that, of course, including the blacklisting of Tor relays from many sites.
Sure this would accomplish that goal, but it's extremely unpractical. The Tor network is slow enough as it is, add millions more people and it'll grind to a halt. Plus all the issues of sites that rely on IP addresses for fraud detection and moderation (banning spammers, for example).
I don't think Firefox will route through Tor by default, doesn't make sense.
I don't want to be routed through Tor by default, as not everything I do is privacy sensitive. But I do use Private Mode and it would be awesome to have a Private Mode that connects through Tor or maybe fast switching to a Tor-enabled profile.
I think this solves itself: How is the NSA going to keep track of ever increasing piles of data-to-be-decrypted? They will be swamped, eventually red-flagging so many people that the red flag becomes meaningless.
This sort of this is pretty exciting. Now that users are aware of NSA hijinks, and are familiar with the Privacy modes of their current browsers, I'd like to see Mozilla move towards a "Super Privacy" mode where they route over a built-in Tor client.
Of course, the dream would be to have all Firefox clients run Tor relay nodes out of the box, backed by Mozilla-supported exit nodes.
As hackuser says elsewhere, Tor is not really a fire-and-forget security solution. My understanding is that in order to use it without compromising yourself you need to have a fairly sophisticated understanding of its limitations.
But isn't that the point of Incognito mode in the first place? To only use it in certain situations when you need extra privacy? I doubt too many try to login through Facebook using the Incognito mode, or at least they wouldn't use their real accounts.
Mozilla just needs to enhance Incognito mode (or create a new mode) with Tor.
My understanding was always that Incognito mode was only intended for instances when you didn't want browsing history saved, not instances where you wanted to protect your privacy. That said, I think an 'enhanced Incognito mode' which does protect your privacy that's built-in could definitely be a good addition.
The point of Private Mode is also to start with a blank session, without any cookies.
Service providers, such as Google or Facebook, are tracking users even when they aren't logged in, by setting unique identifiers in cookies with a very long age. Then as soon as you login, they can even correlate those identifiers and their history to your name should they want to.
Facebook for example is known to build profiles on people that do not have a Facebook account. And given that many websites are integrating with services provided by such companies (e.g. Google Analytics, Facebook buttons are everywhere), it's not like you have to go to Google.com or Facebook.com to be tracked.
So that's the point of Private Mode, because in Private Mode all they have is your IP. And in case we're talking about IPv4, we could be talking about a home connection, or a public Wifi, or a work connection, so to track users one needs to take a look at usage patterns coming from the same IPv4 and make a decision - home connections are what you want, as otherwise too many people are connecting from the same public wifi or work connectin.
And given the shortage of IPv4 addresses, ISPs have switched to dynamically allocated IPs at least for home subscriptions. Mobile phone operators are doing the same thing - an IPv4 coming from a mobile phone doesn't even tell you the user's city.
It will be interesting to see how we'll be able to protect ourselves along with the switch to IPv6, but in the meantime, yes Private Mode has everything to do with privacy.
A lot of internet usage is logging in to Email, FB. If you do that an attacker knows that this particular user is you. Not sure how that can be "fixed" easily.
To recap the current situation: You need to run a normal browser (for convenience) for facebooking (of course running NoScript, Ghostery, RequestPolicy etc.) and the Tor browser for researching things you don't want to be associated with your identity (yet nothing that law enforcement or intelligence agencies care about).
"A lot of internet usage is logging in to Email, FB. If you do that an attacker knows that this particular user is you. Not sure how that can be "fixed" easily."
When data is inputted to a HTML-form an alert could pop up.
"Disclosing your login details may compromise your privacy"
At least that would educate users, similarly as the warning text on Chromes New Tab incognito page.
It couldn't. It'd take a fundamental re-architecture of Tor to implement a solution, but you also actually have to solve the problem, which is pretty hard too.
More relays? That's great, but why not exit nodes?
Mozilla certainly has the manpower and infrastructure to operate a bunch of exit nodes, and if they have any legal qualms about it, hey, they just partnered with an EFF project, right?
What I don't understand is why Tor doesn't bundle their relays with their clients and have a network that scales better naturally, like I2P, and instead relies on people hosting their own, hopefully high bandwidth, relays.
I'm guessing that hosting relays could get people in trouble in some jurisdictions, even if they're just middle relays and not exit nodes.
Since the goal of Tor is to let people use the internet safely in such jurisdictions -- in fact, especially in such jurisdictions -- some might consider the loss of relay bandwidth an acceptable compromise.
There are two reasons I see. Trouble in some jurisdictions. But then there is also people who want to secretly use Tor (using Bridges). If for example Chinese (or Iranian or whoever) want to secretly use Tor, which is possible with bridges then it wouldn't be good if they were in a public list.
One more reason maybe is that you also want to have Tor running as a weak client, like on your smartphone. On such devices and in such networks running a relay would probably cause issues, both for you, but also for clients.
You can't really compare it with Bittorrent, cause what mostly mentions in File Sharing is throughput, whereas Tor also requires low latency for example.
Tor has the goal of being high bandwidth and low latency, and relays on home connections can be problematic. Many home connections have rather low upstream bandwidth, for example, so that circuits through such relays would be limited to few KB/s.
The idea of having everybody be a relay is definitely tempting, but there are genuine engineering problems with it.
The point of the right to bear arms is to protect the people from a government engaging in tyranny. The point of TOR is ideally the same. Maybe it's time to classify encryption as a weapon again.
I think it's disingenuous to classify guns as defensive weapons even if they can be "used in defense".
Defensive weapons are armour, masks, shields or even boots with steel-capped toes. Shields and boots can actually be used as offensive weapons (like anonymity according to the GP) but are primarily defensive. They are primarily intended to deflect or mitigate harm.
Guns, knives, batons and even less-than-lethal weapons like pepperspray, water cannons, tear gas and tasers are offensive weapons. They are primarily intended to inflict (permanent or temporary) harm.
The defensive capabilities of offensive weapons consist of displaying them for intimidation (i.e. a threat to inflict harm, which is obviously an offensive act) and their use to inflict harm against an aggressor in self-defense (which is again about inflicting harm and therefore offensive). Their purely defensive capabilities are trivial (e.g. using a rifle stock to parry an attack in hand-to-hand combat) and at best secondary to their offensive ones.
Also note that every offensive weapon can be used to intimidate or in self-defense. A knife may not be very useful for intimidation in a gun fight and a megaton nuclear device may not be very useful for personal self-defense (unless you consider pre-emptive strikes an act of self-defense and even then you want some distance between you and the "aggressor"), so they could all be classified as defensive if we were to use the muddier definition you seem to suggest (i.e. defensive weapon = a weapon that can be used defensively).
Whether defensive weapons are (or should be) considered weapons at all is a matter of jurisdiction (I only know about the situation in Germany) but generally the idea is that defensive weapons are classified as weapons because they're only useful in a fight and you wouldn't use them if you weren't intending to get involved in a fight (this is why they may be illegal to carry/wear in a demonstration, for example).
This distinction may be a cultural thing, though. By this definition a "personal defense weapon" or even a self-defense weapon like a taser or pepper spray is actually an offensive weapon rather than a defensive one. This certainly works with the anonymity analogy (concealing your identity is not in itself a means to inflict harm, although it can aid in the success of doing so or in avoiding punishment), so I think this is what the GP had in mind.
All this infighting is certainly not helping civil rights. I'm not amercian, but a EFF-ACLU-NRA-SPLC-AI would be a great thing. Right now the civil rights and their proponents are played off against each other, and the rest of the world is suffering from this, too.
I've never understood how enthusiasts about some rights can be so dismissive of others. Poignant critique is one thing, but there's a lot of, as I say, simple dismissism (?) going on.
Once again, I have to suggest Porcupine Festival. It's the only place I've seen that has such incredible unity on these fronts.
Guns are NOT defensive weapons... You could be standing in the Starbucks line with any weapon of your choosing and I can just walk up to you and pull out a pistol and splatter your brains across the counter. No problem...
EDIT - Why is my off-topic comment with an argument being down-voted in a reply to a off-topic statement with no argument is not? There must be a lot of gun lovers on Hacker News...
Did your comment have something to do with what I posted? I was pointing out guns (yes, they are tools) are not good defensive weapons (the wrong tool).
Really? Just you saying they are defensive weapons makes it so?
You remember that news story from a couple of years ago in Seattle (I think)... Four professionally trained and armed policemen sitting at a coffee shop and one person walks up and shoots them all dead? Their guns were useless...
If we were living in movie world I would say guns are great defensive weapons because the good guys always know the bad guys are coming and have their guns drawn (or have super human reaction and aim). In real life? Not so much...
Yes. If you own a gun it doesn't mean that you're planning to shot anyone with it or that it's bound to happen. If you say you use it as a defense weapon and you actually do that (which is what a lot of gun owners in the USA say) then its a defensive weapon.
It's not about shooting back with lightning fast reflexes. It's dissuasion, or sometimes against wild life too. It also doesn't mean its going to save you every time either. Nothing works every single time, we'd know by now.
Of course its also used to kill. For homicides, what not. Heck flower pots are used for homicides too.
The point is that the decision is in the hands of the human behind the trigger, if guns didn't exist, they'd use swords. If sword's didn't exist, they'd use blunts. and so on.
Once again your comment has nothing to do with what I am talking about...
I am not making a moral judgment about guns. I am merely stating they are not defensive weapons as they not designed for that...
Swords? Well, if you had a sword and I had a sword it is possible for me to block your strikes with my sword. Guns? No gun blocks bullets...
Walking around with a gun offers one no protection (unless you have it drawn and ready to fire at all times then maybe) but a false sense of security as my real life examples illustrated. Now, if you want to shot someone dead, guns (I would not suggest flower pots) do work really well for that...
You are being downvoted because people disagree. I'm not sure how I feel about the downvote button being used this way, but I also disagree with you. I wish that instead of downvoting, people will just explain their positions.
For my part:
Personally owned firearms are used for defense far more often than for aggression. The easiest scenario to picture is the one in which a sidearm is merely revealed (rather than brandished or fired) in order to deter an attacker.
The vast majority of successful uses of guns for personal protection do not involve discharge. I think it's reasonable to call these purely "defensive" uses.
I agree that, on its face, discharging a firearm with the intent to kill or injure another person is offensive. However, this is an over-simplification of the (largely positive, in my experience) role that firearms play in our society.
A sufficient distribution of concealed carry permits creates (or at least can create) a sort of herd immunity against certain types of violent crime.
Volunteer open carry provides an example of how protective force might be delegated in a community without the need for a police force.
A culture of firearms safety and training, along with widespread ownership of effective tactical arms, can cause an entity, even a state actor, to opt against brute-force repression of a community.
If you want a crash course in firearm culture amidst unending dedication to peace and compassion, check out Porcupine Festival. (And for what it's worth, there are also very intense tech talks and hacking sessions that will blow your mind).
Well, I would have to disagree with just about everything you wrote...
>The easiest scenario to picture is the one in which a sidearm is merely revealed (rather than brandished or fired) in order to deter an attacker.
Huh? Where do you live where this scenario ever happens? I am 45 and lived in a major city half my life and not really in the best part of town. I have never had the need to reveal a weapon to a would be attacker. If someone is going to mug me their weapon will be already pointed at me and revealing any weapon I have is just going to get me shot. I think maybe you watch to much TV...
>A sufficient distribution of concealed carry permits creates (or at least can create) a sort of herd immunity against certain types of violent crime.
Source? I just looked at murder rates for NY (where I live) with a low concealed carry permits ratio to Texas which has a high concealed carry permits. Gee, Texas has a higher murder rate...
>Volunteer open carry provides an example of how protective force might be delegated in a community without the need for a police force.
Ok, I am not a huge fan of police forces but I am also not a huge fan of more random people walking around with guns. The majority of people are to violent, mentally unstable, to just plain to dumb to be carrying weapons around.
We already try the wild west thing and it didn't work out...
> I have never had the need to reveal a weapon to a would be attacker. If someone is going to mug me their weapon will be already pointed at me and revealing any weapon I have is just going to get me shot.
I don't speak from personal experience; I've never owned a firearm. However, a number of my friends have had this experience. One possibility is that this is more important for women? A women, being threatened by an unarmed man, can change the complexion of the power balance by revealing a weapon.
I don't have a good source for this; it's very possible that I'm wrong.
Even if it rarely happens, it's still an easy way to picture the 'purely' defensive capacity of a sidearm.
I have no idea what you are talking about "revealing" a weapon or why you would do that... If someone was flashing a gun in a public setting I would be calling the police. Oh wait, let me guess your friends get nervous when a "black" person walks near them so they have to "reveal" they are armed.
Funny, this was just in the news the other day... A man purchased a new gun and was flashing it. You guessed it, he was mugged at gun point by someone who wanted to upgrade his piece.
I don't, at least at the moment. Of the empirical claims I've made, I'm most interested in whether self-defense encounters that merely involve a "reveal" are typically effective and what their distribution is.
I didn't mean, though, to be empirical for the most part; I was just trying to jog the imagination about what "purely defensive" uses of firearms might look like.
I believe in restrictive gun laws; sometimes people have psychotic breaks for instance, and it's preferable there not be a gun handy when they do. That said, guns absolutely can be used to defend. The most obvious example is that police officers carry guns to defend the general public from criminals (who may also have guns). Yes, you could say the act of firing a gun is offensive, but the threat of the weapon can still be used defensively, and even shooting someone could be considered defensive if it is done to save the lives of others.
The difference, of course, being that guns are much less complicated than anonymity software, and that only the gun designs are from the military, not necessarily the manufacturer, distributor, retailer, or anyone else that ever actually touched your physical weapon. The Tor project is still governed by a lab that takes government funding, and that can bias its decisions because it creates misaligned incentives.
I'm not a tinfoil guy re: Tor, but you have to admit that the purchase of a government-designed gun is a lot easier to validate for reasonable safety than Tor.
"Mozilla will help address this by hosting high-capacity Tor middle relays"
Mozzila has my trust (at least for now), but concentrating large part of Tor infrastructure in a single point inside USA jurisdiction does not seem like a good and future proof idea.
Won't these high capacity middle relays eventually become fast guards (and because of the new flag assignment process, possibly both guards and exit relays simultaneously) or can the directory authorities restrict flag assignments even if the relay is eligible? By "can" I mean "should they" I suppose?
This is great. Even if not all changes in the Tor Browser fork are appropriate to be merged back into Firefox (and certainly not all will be), for every one that they can merge, it both makes Firefox more secure and frees up Tor developers from maintaining those differences. Sounds like a win all around.
Yes, it's hidden indeed. You don't get to see the checkbox to disable it until you change a select box
"Firefox will: [Remember history]"
It's totally unintuitive to look for the 3rd party cookies options there.
I know because it took me a while to find it.
And I don't think it should be required to look at the documentation to do something as trivial as blocking 3rd party cookies.
mozilla, like few other companies, has my full faith and confidence that they would pull a Lavabit and close up shop before letting something like this completely erode their users' trust.
I don't believe they would simply close in that case; I strongly believe that they would instead choose to remain open under the logic that compromised but still working for user security / web "openness" is superior to folding and losing a force which aims to work for the "greater good". I believe this given their past choices in things like H264 and EME.
Given that, though, I also believe that enough smart people are in Mozilla that they would try to prevent themselves from being in a position where they would be a target such that they would face the dilemma. Which might be why they're only hosting middle relays, and not exits or guards :)
regarding H264 and EME, there are legitimate reasons for them having conceded on those fronts. Content providers do have a legitimate interest in protecting copyrighted work. Likewise, H264 is widely deployed and is already a sunk cost for most consumers and migrating away from it will take at least a decade, it was never going to work to forcefully go cold turkey; not everyone can pull an Apple and yank Flash support.
while those choices certainly limit user freedom (as in choice), they do not compromise user security (assuming EME is properly sandboxed, etc)
i don't think they would just up and close, they'd likely just sunset/curtail the services which would be subject to interception. in Lavabit's case, that was the entire business.
>Content providers do have a legitimate interest in protecting copyrighted work
Except DRM in the browser doesn't really accomplish that, does it? Hit The Pirate Bay or Google up a torrent and done. Things like Netflix DRM are only one step above HDCP.
regardless of how misguided their attempts are, doing nothing is a non-option for studios, right? what alternatives are there? there are none - those who make the content make the rules, it's something i'm confident will not change.
If you really have to trust Mozilla here someone is doing something wrong.
Presumably these hosts will be part of a relay family and so tor will not select multiple of them in constructing a circuit.
When it comes down to it no matter how trustworthy mozilla has been in the past, any service they offer could be compromised going forward in a multitude of ways. This is why its important that systems and software be designed to be secure even without trust. (Then, add in some trust for good measure too).
trust is always a fun topic, as people are still unaware of how much stuff they trust today.
Let's say you trust TOR. Great.
Now you have to trust Mozilla's software if thats what you run.
Let's say you trust Mozilla too, great.
Now you have to trust your whole OS. Lets say you do that. Great.
Now you have to trust the various devices connected to your computer. Lets say you trust that too. Great.
Now you have to trust the various companies that made all the various chips on your main bus, CPU. And the RAM and many other components.
And don't forget the dynamically loadable firmwares running on them.
Good luck with that!
[note: this might have needed to be a reply to the parent post]
At least Mozilla doesn't have a 'business model' which is strongly dependant on you handing your data over to them, or other opaque/closed activities or software.
Lavabit could do it because they were a small shop (under 10 employees). Do you really think Mozilla is going to pull the pin with over 1000 employees?
More likely would be that they relocate. But relocating over 1000 people would be a massive feat.
how they handle their moral and legal obligations to 1,000+ people is up to them and i am sure those 1,000 people will be able to get as much assistance as they need to hold them over. 1,000 people keeping their jobs is statistically insignificant to the tens (hundreds?) of millions of compromised, faithful users. i dont think it would even be a question for them if the circumstances allowed for no other options. i believe their users would fully expect them to do this.
"I really wish Ladar Levison handed NSA the SSL keys so I could keep my email"
> mozilla, like few other companies, has my full faith that they would pull a Lavabit and close up shop before letting something like this completely erode their users' trust.
That trust is an exceptional asset, a unique competitive advantage for Mozilla. None of their for-profit[1] competitors can hope to compete in that area and I think it's especially valuable now that users are becoming aware of privacy and when the behavior of the competition often is so egregious. Mozilla has a chance to solidify their brand for the long term as the IT provider users can trust. If they can do that, IMHO they have a leg up in every market.
[1] I know Mozilla Corp. is for-profit, but profit is not their primary objective.
So, silently comply with warrants and other requests until a high-profile case comes along, then refuse to cooperate until a judge gets you to hand over everyone's data and your master keys, then turn that into a big PR show? OK.
if protecting whistle-blowers requires a PR show, i'll buy a front-row seat and pass me that popcorn. i believe what happened with the snowden request was not the same as other requests, obvious why in retrospect. http://www.wired.com/2013/09/lavabit-snowden-pen-register/
> So, silently comply with warrants and other requests
so are you suggesting, for the purpose of avoiding accusations of hypocrisy, all businesses should either comply unconditionally or close immediately and relocate to another country? what he did was unorthodox and perhaps somewhat PR motivated, but he did ultimately close his primary (only?) source of income on moral grounds. i'm not sure how much shit-slinging he deserves here.
anyhow, i think you took the analogy too literally.
the only type of architecture that is resistant to this would have to be distributed. for anything centralized and under control of a US company, the US laws can compel them to install intercept devices. sadly, not everything can be distributed, there will be centralization somewhere.
it's hard to answer this with a blanket statement because it's one company that does many things and builds many products. i'm not sure what the law says about requiring a company to continue to operate a service just for the sake of intercepting traffic, when the morals/mission of the company would otherwise terminate the service. i'd be interested to see if something like this has been tested in court.
the general rule of thumb is, don't base critical parts of your business or personal life on third-party cloud products that may go away for whatever reason, without your control and without notice. this includes Google's random termination of APIs, encrypted email services, etc. have a plan B if for some reason the Tor relays need to be suddenly taken offline, forever.
Company morals, mission statements, constitutions etc are marketing material and not law. If the law requires a company to comply but their mission statement goes against this, the law will win every time.
This is why the right place to put this sort of thing if you're really serious about it is in the corporate charter. Then it does become law as far as the company is concerned, since it's only chartered to operate under the terms of the charter.
Unfortunately, some jurisdictions don't allow sufficient customization of corporate charters to do this yet. It's been getting a bit better recently.
i dont think i claimed their morals would allow them to not comply with the law. but a company's past conduct is pretty important to evaluate in the context of how such situations will be handled. i'm unaware of a law that requires companies to continue providing compromised services to their users, for example.
I still don't see why someone worried about the US government would even start using a service where the best outcome of a warrant is that the service gets shut down.
PRISM operates on a completely different layer than Tor. Tor does NOTHING to protect you from PRISM, and using Tor can be much less safe than just using your direct connection.
I'm really not sure why I'm being downvoted (or even killflagged). The Mozilla Foundation is a US based organisation and has no choice in the matter if the feds come knocking for PRISM signup.
Another disturbing aspect is that TOR itself is funded by the US govt. It is not so much of a contradiction. It is very likely that 3 letter agencies actively use and benefit from TOR backed services. But should the cost benefit balance tilt the other way, the money stream will probably disappear and/or its security compromised.
Using Tor, end users can easily and unintentionally compromise their confidentiality by disclosing information explicitly (e.g., their email logon) or implicitly (habits, browser fingerprints, and other identifiers); it takes discipline to remain anonymous on Tor and even technically skilled hidden service operators, with reason to be paranoid about illegal businesses, fail to do it. Also, leaked documents say that use of security services, including VPNs and I think Tor also, causes the data to be retained by the NSA for future decryption.
How can Mozilla and their partners provide confidentiality in a way that increases end-user security, rather than attracting further scrutiny or, far worse, providing dangerously false assurances? The answer cannot depend on end users understanding the technology or subtle tradeoffs; the vast majority will never understand.
One thought: Route all Firefox users through Tor relays by default, creating some security-through-obscurity. There are problems with that, of course, including the blacklisting of Tor relays from many sites.