GoogleSharing, Now With No Trust Required

An anonymous reader writes "GoogleSharing, the popular Google anonymizing service created by well known privacy advocate and security researcher Moxie Marlinspike, has released a major new version today. The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing. This means that anyone who wishes to opt out of Google's data collection practices can now do so without having to trust the operator of the anonymizing service."

Re:Suddenly, it doesn't feel like '1984' anymore!

[shoehornjob]

A great day for liberty!

That is of course until someone in washington decides it's a security risk because terrorists could use it to plan their attacks. You know that will happen.

Re:Suddenly, it doesn't feel like '1984' anymore!

[spazdor]

The worst part is, they're right. As it turns out, the exact same kinds of privacy we want for the right reasons, the bad guys want for the wrong reasons.

Re:Suddenly, it doesn't feel like '1984' anymore!

[dynamo]

We already decided as a nation, over 200 years ago. I'm not having a hard time walking the line between freedom and oppression, nor is anyone else who is not in a position to lose power if freedom wins. Ben Franklin was right.

Re:Suddenly, it doesn't feel like '1984' anymore!

[MyFirstNameIsPaul]

Oh, please. Just go wardriving with a vanilla install of ubuntu using a laptop you picked up on craigslist and a wifi card you found in a trash can and you're safe. As usual, these kinds of government activities only infringe on the innocent and do nothing to inhibit the criminals.

Re:There is still man-in-the-middle attack

[Sir_Lewk]

You don't know how SSL works do you?

Actually, I'm not really sure why I phrased that as a question. You don't. To get started, look up public key cryptography.

Re:No, not Really?

[Sir_Lewk]

for that matter: Welcome to Slashdot, where people think scepticism is a good replacement for education and intelligence.

It seems like half the commenter here may have at least RTFS, but simply don't know what SSL is.

Re:No, not Really?

[maxwell demon]

Well, you also have to trust the Firefox extension (or read and understand the code, and trust your ability to find issues if there are any).

Re:Why not just not have a Google account?

[spazdor]

You do know what Google's business model is, right?

Re:Why not just not have a Google account?

[spazdor]

I'm certain there are statistical techniques that can be used to tie separate unique, "unrelated" sessions back together when they come from the same user. Some websites expose their account usernames to Google, which can provide near-sure matches.

Certain users habitually use Google to get to their favourite sites because it's literally quicker than typing a URL, and many of those probably use the same abbreviations for those sites each time. My ex-girlfriend used to get to Facebook by typing "face" into Google and clicking "I'm feeling lucky." I bet combining 4 or 5 separate browsing idiosyncrasies like that is enough to uniquely identify many users.

Re:There is still man-in-the-middle attack

[IpalindromeI]

Here's the quick rundown:

You contact Google's server through the proxy, and the server sends you Google's public key. This key isn't secret, so it doesn't matter if the proxy gets it, too.

Now you use their public key to encrypt a message telling them the symmetric encryption key you want to use for the rest of the communication. Only Google can decrypt that message, so only you and Google will know the key to use to decrypt the rest of your communications.

A man in the middle attack is only possible if GoogleSharing can either break or guess Google's private key, or the symmetric key you agreed to use after the handshake. Both are very hard to do. So don't worry about it.