Reset the Net!

by phobos | June 5, 2014

We’re making the Internet more secure, by taking part in #ResetTheNet


Please note that the comment area below has been archived.

June 04, 2014


How exactly can you support this?

HTTPS does not solve the simple fact that the three letter agency you are trying to protect from has the keys to the fortress as they (and other nation state actors) have their own CA, hence can easily create any SSL certificate, MITM it and voila, read that "protected" data.

HTTPS is *NOT* complete security and it has nothing with 'resetting the net'.

HTTPS is only one layer that typically can help. But the moment one is protecting against a nation state actor you are losing out:
- they have their own CAs which *you trust* per default of the OS/browser installation
- you do not know if there are backdoors in code anywhere (openssl has lots of nice vulnerabilities, another one coming soon to you!)
- you do not know if the adversary knows about crypto flaws that make it all useless anyway
- and assuming device security, nobody is ever able to do all of:
* understand how the crypto works and make sure it is 100% correct
* verify the source-code and that it does not have backdoors/flaws
* make sure that that version of the code actually runs on the device you are using
* verify that nothing else on your device can actually just snoop the data there and send it out before the plaintext is crypted...

Yep. You'll notice we didn't stop working on all the other things we do at Tor. :) Https is nice and all, but you're right that there's a lot more to it than that.

But that said, these broad advocacy campaigns have a tough time picking 'real' issues that are also things ordinary people can get behind. And hey, more encryption is good.

June 05, 2014




June 05, 2014


"[...]HTTPS does not solve the simple[...]"

For the beginning OpenSSL should be hard debugged.
It has really heavy bugs.

June 05, 2014


While people align under "Reset The Net" and value privacy I just got this "search result" from at the right time:

"As you know, Tor recently included Startpage as the default search engine in the new Tor Browser Bundles. Thank you! We're honored to be associated with all of you like-minded, hard-core privacy fanatics.

Just One Small Catch...

However, the avalanche of new Tor users has created an issue with the algorithm we use to detect and reject automated screen-scraping programs. When multiple Tor users are searching through the same end node, Startpage may wrongly conclude that the searches are coming from a scraper.

The unfortunate result is that Startpage may occasionally not return results with Tor. But don't panic, we're committed to fixing it." claims two million searches per day. That's roughly 25 searches a second. I don't know how many percent of these are Tor users, but a handful of servers can do this number without a problem. In terms of hardware and bandwidth this is chickenshit for a company.

So why does cares so much to interrupt searches with their notifications? Later on in these notifications they recommend to change the Tor identity to be able to use their search engine again.

If screen-scraping is truly the reason I don't see how changing the Tor identity would prevent screen-scraping. The scraper would use any exit node IP address currently assigned and could go on day and night with a new IP address every few minutes. Makes no sense to me.

But this reminds me of the problems Scroogle had with Google.
Scroogle was a search proxy for Google, just like, but without depending on pay outs from Google (
Google doesn't want too many searches coming from the same IP address because their advertisers may think they are ripped off with automated searches, searches where no humans see their paid ads.

I wonder how searches from Tor users at are different from other users in a way Google would care enough to complain to
The only reason I can think of, as a "hard-core privacy fanatic" as denotes me as a Tor user, is that passes the IP address on to Google with each search. Maybe the IP addresses are hashed to comply with their claims.

Startpage pitches that they are a certified. If you read the certification documents there is no mention of Startpage.
The certifying company has looked at the meta search engine Ixquick which is by the same company as Startpage.
Ixquick uses different search engines than Startpage. I think the Ixquick engines are generally less demanding than the ubiquitous Google used by Startpage.

I assume you're a Windows user? The TBB is still portable -- it has an installer now because many people were confused when it didn't have an installer, but the resulting directory once you've installed it is all still self-contained and portable.

June 07, 2014


NSA must give back the private data they have stolen.
Afterwards they shall destroy the hard drives used to store these sensitive data.

June 07, 2014


Hi. Does anybody knows when TextSecure and RedPhone apps be available in iphone?

I'll take this privilege to thank all - TOR People, Edward Snowden, Glenn Greenwald, Jacob Appelbaum, Privacy Advocates and Supporters ... ALL, who is risking their lives and worked/ is working behind to regain our privacy rights in this digital age. While we know "what" we will do, you guys are the "how". Thanks.

June 09, 2014


Let's remember that the worlds most powerful people view it their privilege and categorical imperative to exploit all communications of the entire world. Our toys are in their playground, and every single one is another target.