Why aren't Certificate Authorities used for links between TOR nodes but they in OpenVPN?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Why aren't Certificate Authorities used for links between TOR nodes but they in OpenVPN?
Not sure about this, but TOR does not seem to use Certificate Authorities. However, OpenVPN does by default. Why don't they both avoid them to prevent MITM attacks between intermediate nodes?
This would add or demand for a sort of “continuity” which is neither sought, nor desirable in the tor network. It also asks for some identification process that would be counter-productive. Although I understand the question, the concepts of Certificate Authorities and Anonymity do, in some measure, contradict each other. A “structure” of just any kind is not the only way to organize things. Most anonymous networks, at least those which existed in the past, just appeared to work alright for a while. And that was all that was needed to render them useful.
It is (or should be) more like morality, culture.., stuff that exists before the structure becomes apparent. Edit: Read this as “It should be understood as” (and also read the remainder of this thread)
Last edited by Michael Uplawski; 05-17-2016 at 12:34 AM.
Reason: clarification
Rather than pondering how things should or should not be, is it true that TOR does not use certificate authorities? If so, how do nodes authenticate to each other?
Always remember that communications protocols are always spoken-of as being "in layers." ... And also, remember why.
If "two nodes need to 'authenticate with each other,'" then it logically stands to reason that they must assure that they can do so, whether the messages are ultimately passed by TOR, by TCP/IP, by Morse code, or by carrier pigeon. This fundamental concern must therefore "be dealt with first," i.e. "by a lower level of protocol."
The two parties, having thus dealt with their authentication requirements, must also be mindful of this impact upon "higher-level" concerns, such as anonymity. Authentication matters necessitate a reduced level of entropy in the message-stream, which cannot be fully concealed by TOR.
Does the answer have something to with tor being for anonymity whereas openvpn is for privacy?
Yes, indeed. But TOR is also very much for redundancy. As with TCP/IP itself, "it's important that the message getsthrough, somehow." But in the case of TOR (at least as originally envisioned by the Department of Defense et al), the message has to transit a network that might be hostile to both message and messenger.
TOR assumes that, if the owners of the intermediate networks could discover even that "a message is being passed," they would move to block it or to tamper with it. They might well succeed in blocking some of the message paths.
The "onion" algorithm is very similar, in that regard, to the routing that is used by the Internet itself. Remember that all of this Internet stuff grew from MILNET, which was specifically designed to withstand an atomic holocaust.("The command to shoot our nuclear doomsday back at them must get through, so that future space-aliens visiting our now-radioactive, lifeless Planet can conclude that we were, indeed, "MAD = Mutually-Assured Destruction.")
- - - - -
It should also be clearly understood, by anyone who might be so foolish as to try to use TOR to commit a crime, that TOR doesn't work too well when you presume that the network in question can be subjected to "total traffic surveillance," especially at its various pinch-points. Which agencies such as CIA, MI5, KGB and so-on can do. (This capability is a fundamental part of their mission, and they can do it, as well as ##CLASSIFIED##. But if you're committing crime, you've established yourself as a despicable cretin, anyway. )
Last edited by sundialsvcs; 05-17-2016 at 09:33 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.