[Foundation-l] Release of squid log data

[Ben McIlwain]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anthony wrote:
> On 9/19/07, SlimVirgin <slimvirgin at gmail.com> wrote:
>> Yes, I agree that protecting IP address is hard.
> 
> Not for admins.  Just use Tor.

It's very easy to say "just use Tor".  But have you actually done so?  I
bet I have more Tor experience than 99% of the people on this list -- I
semi-regularly use it for web browsing and I've even written up some
GNU/Linux applications designed to interface through Tor on the command
line.  And my simple conclusion is this: Tor is slow.  Really really
slow.  It turns a 100ms page load into a page load that takes many
seconds, *if* it doesn't time out.  Using Tor makes the web browsing
experience significantly worse, and only makes sense to use when
security is really in question.  Wikipedia should not be a site whose
security is so risky that we have to recommend our admins go through the
agony of trying to do all of their Wikipedia work through Tor.

And by the way, remember that all unencrypted web traffic ends up
unencrypted at the Tor exit node, and can be (and sometimes is) sniffed
by unscrupulous folks.  If you are using Tor you *must* make sure to use
only the secure Wikimedia https proxy.  Even that is difficult though,
because you'll end up clicking a link that takes you to unsecure http
pages (such as a diff links), and before you can blink, your admin
cookie has gone across the web unencrypted.  As far as I can see there
is no fool-proof way of using Tor with Wikipedia, except for maybe
blocking unencrypted http Wikipedia at a firewall level.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFG8w0QvCEYTv+mBWcRAitnAJ9hn1M3g9ORk9/4KsTSoUQbmQczKwCfVBg3
TQHY8+UevyN4MS7gdclfWBI=
=6xS/
-----END PGP SIGNATURE-----