On Sat, 02 Apr 2011 20:08:16 -0700 Jacob Appelbaum jacob@appelbaum.net wrote:
On 03/29/2011 02:10 AM, Scott Bennett wrote:
On Thu, 10 Mar 2011 10:27:50 -0800 Chris Palmer <chris@eff.org> wrote:On 03/10/2011 09:10 AM, mick wrote:
Using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable."
Which says to me that you are using Tor to do this research.
No, it says to you that using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable.
So which is it?
The Observatory work was not done through Tor.
Good.I think we need a scan of the SSLiverse through Tor.
However, using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable, so I vociferously defend the idea of doing so.
Ah. "The ends justify the means." How enlightened. :-(I don't think Chris is making "The ends justify the means" as his ethical model. Tor relays with exit policies that allow exiting to *:443
Whether he is or is not using that as his "ethical model", that is indeed the form (see above) of his reasoning for defending the activity in spite of the harmful effects it has upon the tor network.
intend to allow exiting to *:443. You have to go to quite a bit of effort to become a relay, so I'll trust that this counts as consent for exiting the Tor network on port 443. I hope we don't disagree about this?
Use != abuse. If I run sendmail with it configured to accept mail from outside, that does not mean I agree to receive massmail, malware, or other bad stuff via TCP port 25. Because various idiots with access to the Internet insist upon attempting to abuse my ability to receive mail does not militate against my defending my system from such malicious activity in any way I see fit. Do you suppose, for example, that the operators of the root name servers would hesitate for a minute to filter out packets from any address that were obviously attempting a DoS attack upon their root servers? And would they be wrong to do so? Consider that, in doing so, they would not only be defending their own services, but also the proper functioning of the entire Internet. The same reasoning applies to operators of exit nodes wishing to defend the continued existence of their nodes and thereby defend also the proper functioning of the tor network.
Now, if your ethical issue surrounds the fact that they then connect to a computer without asking permission, I'd make the argument that this is reasonable. Even if I was mistaken in your desire to have me connect to your system, I believe your placement of a computer system on the public internet requires handling a little bit of expectation setting.
What do I mean? I mean to say - if you configure PF to block me, I'm still burning some amount of CPU time on your machine. Is that an unethical action on my part? To ask your computer a question and for your computer to reply (with say, a RST) is a normal part of the networking protocols. The internet is inherently chatty and some amount of that chatter is the cost of connecting to the public internet. Obviously 1,000,000 connections at once isn't polite but is polite really zero connections? Is one connection really so impolite or unethical?
Your analogy is not valid. The activity in question can and does result in termination of services to exit nodes by their ISPs.
Now - if we assume that it's reasonable to send a single SYN and then complete the handshake when the policy allows, what is the next boundary? I'd argue that common HTTPS ports probably run HTTPS software
- to better understand that software, you'll need to negotiate some or
all of that protocol. Is sending a TLS ClientHello a reasonable and ethical next step? I'd say so. It also seems to make sense that when the server replies, you might log the ServerHello. You might even log all of the data that the server intended you to have. Is that impolite or unethical? Is there something wrong with what has been done by this point in the protocol? I don't think so.
As noted above, the activity under consideration results in the general depletion of exit nodes from the tor network. Therefore it must be thought of as an attack upon the tor network itself. Further, an activity that can be used by one party to cause termination of another, innocent party's Internet connection is an intolerable assault upon the latter party's paid access to the Internet for all purposes, not just to offer additional capacity to the tor network, and upon a private agreement between the latter party and his/her ISP. Defense against such offenses is completely appropriate and in order. The activity in question also is not easily distinguishable from that of a lot of actual malware that scans for open ports to find a way in. Using an efficient packet filter (e.g., pf) is a way to provide a defense at minimal cost. Consider it similar to keeping one's household appropriately armed against intruders. Yes, security costs a bit, but TANSTAAFL, and like insurance, it's cheaper than not being prepared when an attack comes. In the case of using a packet filter to prevent responses to miscreants on a permanent basis, it has the additional benefit of proactively defending all other present or future services offered, while denying said miscreants any information. This is even more the case when the filter is combined with something like FreeBSD's black hole option for incoming packets for closed ports because the sender doesn't get a response even in the first attempt. That means that the delay in adding the sender's IP address to the filter does not allow the sender to receive any information at all in response, even once, except in the case that the sender happens to connect to a port that actually *is* open before the sender's address gets added to the table.
Now the client will reasonably tear down the connection as described in the relevant protocols. Is that wrong? I don't think so - the protocols specifically indicate how systems should signal their intentions. You're free to tell me to stop connecting and I'm free to connect - that's how these things generally work.
Let's apply that argument to telephones. There is a procedure for making a telephone call that has several steps: dialing, waiting for the switching system to establish a circuit, ringing the phone at the other end (a connection attempt), possibly several times, then either getting an answer or giving up on the connection attempt with no answer or because the response was a busy signal or notification that the number is no longer assigned. If the call is answered, then information may be transmitted in both directions, and eventually the connection is closed (hung up). So there is a protocol for making a phone call. The existence of the protocol can hardly be a justification for abuse. Is it okay to dial phone numbers, either at random or according to some desired pattern, just to find out whether a human answers, a modem answers, or there is no answer, only to disconnect immediately upon an answer or after an error indication or else upon a configured timeout?
Now - as it happens, the EFF SSL observatory client does not actually implement the entire set of SSL/TLS protocols - just as some software does not implement TLS 1.1 or 1.2 - is it somehow wrong to run a client that isn't completely implemented for all specs that it might encounter? That seems doubtful.
Again, pf's "synproxy" is an appropriate, preconfigured response of the target. It's kind of a simple version of a honeypot.
Google seems to have this data from crawling the web and simply caching it as a matter of crawling everything - they get the data from lots of sources such as other urls, toolbars, etc. Google recently published the Google Certificate Catalog: http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-s...
So is Google's method the only ethical way to collect this certificate data? Or is there no method for collecting this data without users manually submitting each certificate they encounter by hand?
Even if we pretend that the EFF or the Google methods weren't to be used
- do you think that the EFF model is actually burning more CPU time on
each system?
AFAIK, Google does not use the tor network for its web (or other) crawling activities. For Google's purposes, the tor network would be unusably slow. AFAIK, Google does not use any method that uses someone else's computer(s) to make its connections to a destination. An EFF employee, OTOH, has confessed to doing so on this list. The latter, then, is burning CPU time, as well as network connection throughput capacity, on not just one system, but on routelen + 1 systems for each scanned system times the number of ports scanned on that system.
Do you accept that there is some amount of CPU time you're going to have to burn when you connect to the internet as a server? If so, what's the limit or the edge of reasonable CPU time that a single client may cause for a public server?
Are you asking about reasonable time for service requests from legitimate clients? Or, instead, about reasonable time for ignoring "excommunicated" miscreants?
In any case, the idea of using Tor for perspective routing is not particularly new - Geoffrey Goodell's work on the topic is well over half a decade old at this point. It makes a lot of sense to use Tor as a perspective-routing system of sorts and there's nothing wrong with that at all.
The problem has now been identified and publicized. If EFF can find some non-damaging alternative method to gather the information it desires, then more power to it. In the meantime, it should cease any and all activities that can damage the tor network or that can adversely affect innocent parties elsewhere. Ethics do matter. Another point, though irrelevant due to the ethical considerations that we've been discussing so far, is that there is no particular reason to use tor rather than some other proxy to look at the Internet from different locations. Anonymity is not necessary to achieve that end. BTW, I was offended to read a day or two ago that you had been subjected to still more harassment by the federal crime syndicate when returning to the U.S. from points south recently. You certainly have my sympathy over such injustices. The best hope at present is, I think, that the empire will soon bring on its own collapse under the weight of its theft of wealth by inflation when the largest buyers of T-bonds stop buying them. Keep your chin up and your eyes on that day. :-)
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************