[Foundation-l] Release of squid log data

Anthony wikimail at inbox.org
Fri Sep 21 01:01:41 UTC 2007 

On 9/20/07, Ben McIlwain <cydeweys at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Anthony wrote:
> > On 9/19/07, SlimVirgin <slimvirgin at gmail.com> wrote:
> >> Yes, I agree that protecting IP address is hard.
> >
> > Not for admins.  Just use Tor.
>
> It's very easy to say "just use Tor".  But have you actually done so?

Umm, yeah.

> I bet I have more Tor experience than 99% of the people on this list -- I
> semi-regularly use it for web browsing and I've even written up some
> GNU/Linux applications designed to interface through Tor on the command
> line.

I edit Wikipedia through Tor all the time.  I even set up a script
which compares the list of tor exit nodes against the list of blocked
Wikipedia IPs and tells Tor to use only exit nodes which allow
editing, thus avoiding blocking.

> And my simple conclusion is this: Tor is slow.  Really really
> slow.  It turns a 100ms page load into a page load that takes many
> seconds, *if* it doesn't time out.

Do you have the latest version?  I'm getting fairly consistent page
loads of less than a second right now.  Maybe it's because of the exit
node thing.  But it seems to me like you must not have the latest
version.

> Using Tor makes the web browsing
> experience significantly worse, and only makes sense to use when
> security is really in question.

Well, obviously "security" is a big issue for Sarah.

> Wikipedia should not be a site whose
> security is so risky that we have to recommend our admins go through the
> agony of trying to do all of their Wikipedia work through Tor.
>
I wouldn't recommend it to everyone, only to paranoid people like me and Sarah.

> And by the way, remember that all unencrypted web traffic ends up
> unencrypted at the Tor exit node, and can be (and sometimes is) sniffed
> by unscrupulous folks.  If you are using Tor you *must* make sure to use
> only the secure Wikimedia https proxy.

Of course.  This is a good idea for admins to always do anyway.

> Even that is difficult though,
> because you'll end up clicking a link that takes you to unsecure http
> pages (such as a diff links), and before you can blink, your admin
> cookie has gone across the web unencrypted.  As far as I can see there
> is no fool-proof way of using Tor with Wikipedia, except for maybe
> blocking unencrypted http Wikipedia at a firewall level.

Umm, now I'm going to have to ask you: have you ever actually used
Tor?  Cookies don't get sent to the unsecure pages, and the diff links
aren't unsecure.

More information about the foundation-l mailing list