As mentioned in the article, freenode cares about user privacy and security when using our network, and we specifically provide a tor hidden service for users who wish to use it.
At the same time, the amount of abuse we saw over earlier HS implementations was significant, which is why we know require users to connect with SASL (which requires an account registered over the clearnet). We’re aware of this hole, and we’ve been investigating. While we’re currently very busy in the runup to #live, we’re also open to suggestions on how we can securely close this hole in a way that allows users to never connect via clearnet.
[Comment removed by author]
Exactly that. I don’t trust the broken SSL/TLS PKI. I don’t trust that my financial institution properly set up SSL/TLS for HSTS and perfect forward secrecy.
Doesn’t that mean you should either be switching the bank or not use online banking at all? After all it was described as sensitive. In the end you have to still trust your route to the bank. TLS was not created for Tor, but for whoever is in between your and the target system.
Of course one might argue that it is easier to set up an exit node than an IXP, however you still rely on the same means to protect yourself. An attacker might still be sitting in the middle. I also suspect that a sophisticated enough attack to trick one who considers banking to be sensitive and is connection based isn’t that much more likely on Tor. Of course that’s just a guess, but from all that has been observed the majority of attacks have been done on unencrypted HTTP and didn’t even work when someone was using an up to date Tor Browser.
What might also make sense is adding your bank (and others) to OONI, which will mean that people/exit nodes targeting these sites might be discovered. At least to my understanding this data is also used for this.
The PKI is one of the most tested tech, it’s well polished.
The standards cover everything, from the encryption that is pluggable, to the revocation lists, to the decentralization that is possible by having different CI, to the delegation of roles and trusts.
Your concerns aren’t with the PKI, they’re with the choice of encryption algorithms (if they add a nounce or any MAC for PFS) and the browser policy (HSTS). Fraudulent nodes are not as frequent and If your browser checks the OCSP or CRL then you shouldn’t have any issues.
You don’t have to trust the exit nodes if you’re using Tor to browse Falun Gong literature in China. You do have to trust them if you’re using them to transmit sensitive personal information over cleartext.
I thought everyone agreed Tor was for anonymity l, not security/privacy
Everyone? Most people have, at best, a loose grasp on the difference between the three.
I don’t think it matters, I haven’t tried, but I’d be surprised if my bank even allows logins from overseas without authorising it first, which is what this is going to look like to them. “Oh, you’re on holiday in America, you didn’t tell us that, oh, you’re now in Russia, that was quick”.
Plus banks may be able to detect For browsing anyway which would be a red flag?
With regards to Android, I agree it is hard to tell what apps might not be pinning certs or using plain text traffic. Orbot on Android has a VPN mode that works on non-rooted devices allowing you to select specific apps that run over tor. Some apps have builtin support for Orbot - Facebook is one. Others allow using Orbot via HTTP proxy support - twitter does this. The VPN mode is experimental and it gives a warning it may fail and isn’t recommended if anonymity is important.
Compared to the author I wouldn’t choose the all-or-nothing approach. Use the right tool for the right job. I mostly use Tor whenever I want to enjoy a certain level of web privacy. And compared to Tor a decade ago it’s now quite usable :) For other tasks, I use different browsers (even on different UIDs) and two different uplinks. This gives me plenty of choice and I can avoid the situation of having a locked online banking account since I tried to login via Tor.