Re: [T(A)ILS-dev] doc: warnings

このメッセージを削除

このメッセージに返信
著者: intrigeri
日付:  
To: The Tails public development discussion list
題目: Re: [T(A)ILS-dev] doc: warnings
Hi,

sajolida wrote (14 Apr 2011 15:28:37 GMT) :
> In the process of rewriting Tails' documentation I worked yesterday
> on the warning page.


Great!

> So I'm asking for your review.


Here it is.

(I fixed a few typos and other minor stuff. Will push soon.)

Why are you using only second-level titles on doc/overview and
doc/warning? Is this so that their content can more nicely be
[[!inline ]]'d on other pages?

Some of the "Quoted from..." references were unclear to me. At first
glance, I was not sure if it referred to the part before or the part
after (especially when a picture comes right after it).

> This still leaves open the possibility of a man-in-the-middle attack
> even when your browser is trusting an HTTPS connection but this
> won't affect Tor or Tails users more than anybody else on the
> Internet. Actually, by providing anonymity, Tor makes it more
> difficult to perform a man-in-the-middle attack targeted on a
> specific user with the blessing of a rogue SSL certificate.


I disagree with "this won't affect [...] more than anybody else on the
Internet"; while an attack targeted at *one specific person* is more
difficult to setup, and I am glad to see it mentioned, some other
kinds of attacks, such as large scale MitM attempts, or attacks
targeted at *a specific server*, and especially those among its users
who happen to use Tor, is actually made easier; such attacks can be
setup by anyone without special cow powers, e.g. by those who cannot
get a legal wiretapping order but still want to gather passwords, or
those who could get a legal wiretapping order but prefer not to, for
various reasons.


Sometimes I read "See, $ref", while sometimes I read "See $ref".
Just mentioning it in case this is an error. Else, I don't mind.


Confirmation attacks: mention the "both your home ISP and the server's
one cooperate with an adversary of yours"?


"virtual identities" => "contextual identities"?


> Vidalia's "New Identity" button forces Tor to use new circuits, thus
> addressing the first threat


Wrong. It asks Tor to use new circuits **for new connections** only.
We've been discussing it on this mailing-list a few months ago, in the
thread about HTTP keep-alive. Also see recent activity about such
matters on Tor's bug tracker. In the current state of things, I think
we should either not mention this feature of Vidalia's, or tell it can
**not** be accounted on to address the first threat.


Keep up with the good work, I like it!

Bye,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| Every now and then I get a little bit restless
| and I dream of something wild.