Tor Security Discussion Thread

Discussion in 'Computer Security' started by lgr_joly@yahoo.com, May 12, 2006.

  1. Guest

    Tor is enjoying some success among the TCP/IP anonymity seekers. Could
    we discuss the security of this system in this thread? Why not
    investigating this topic at cryptology, computer/network, and user
    levels (the only reason for x-posting this message)?

    Kind regards
    Ludovic Joly
     
    , May 12, 2006
    #1
    1. Advertising

  2. wrote:
    > Tor is enjoying some success among the TCP/IP anonymity seekers. Could
    > we discuss the security of this system in this thread? Why not
    > investigating this topic at cryptology, computer/network, and user
    > levels (the only reason for x-posting this message)?


    Is there any need to discuss it? As far as the implementation is
    correct, TOR fulfills its goal to provide a maximum protection against
    routing analysis.

    It does not, and was never intended to protect against traffic and
    timing analysis, and the biggest problem still is session tracking and
    fingerprinting through client applications (f.e. webbrowsers).

    When you don't care for leaking information through DNS resolving, a
    TORified connection can be abritarily fast and low-delay to replace an
    unprotected connection for a lot of common tasks (f.e. surfing the WWW).
     
    Sebastian Gottschalk, May 12, 2006
    #2
    1. Advertising

  3. nemo_outis Guest

    wrote in news:1147471726.300609.250680
    @j33g2000cwa.googlegroups.com:

    > Tor is enjoying some success among the TCP/IP anonymity seekers. Could
    > we discuss the security of this system in this thread? Why not
    > investigating this topic at cryptology, computer/network, and user
    > levels (the only reason for x-posting this message)?
    >
    > Kind regards
    > Ludovic Joly



    Wonderful. The homework assignment and minimal prerequisite for even
    opening one's mouth should be an attentive and thoughtful reading of the
    material posted on:

    Anonymity Bibliography
    http://www.freehaven.net/anonbib/

    Regards,
     
    nemo_outis, May 12, 2006
    #3
  4. Anonymous Guest

    On 12 May 2006, wrote:
    >Tor is enjoying some success among the TCP/IP anonymity seekers. Could
    >we discuss the security of this system in this thread? Why not
    >investigating this topic at cryptology, computer/network, and user
    >levels (the only reason for x-posting this message)?



    one of the biggest security risks is with users not setting their apps up
    to work with tor correctly. dns leak is a big issue.

    or, take java as an example. user browses to a web site using tor and is
    anonymous. but that web site contains a java applet. java isn't running
    through tor and makes a direct connection to the web site and there goes
    that anonymity.

    -=-
    This message was sent via two or more anonymous remailing services.
     
    Anonymous, May 13, 2006
    #4
  5. On 12 May 2006, wrote:
    >Tor is enjoying some success among the TCP/IP anonymity seekers. Could
    >we discuss the security of this system in this thread? Why not
    >investigating this topic at cryptology, computer/network, and user
    >levels (the only reason for x-posting this message)?



    one of the biggest security risks is with users not setting their apps up
    to work with tor correctly. dns leak is a big issue.

    or, take java as an example. user browses to a web site using tor and is
    anonymous. but that web site contains a java applet. java isn't running
    through tor and makes a direct connection to the web site and there goes
    that anonymity.
     
    Anonymous via the Cypherpunks Tonga Remailer, May 13, 2006
    #5
  6. Guest

    Anonymous wrote:
    > On 12 May 2006, wrote:
    > >Tor is enjoying some success among the TCP/IP anonymity seekers. Could
    > >we discuss the security of this system in this thread? Why not
    > >investigating this topic at cryptology, computer/network, and user
    > >levels (the only reason for x-posting this message)?

    >
    >
    > one of the biggest security risks is with users not setting their apps up
    > to work with tor correctly. dns leak is a big issue.
    >
    > or, take java as an example. user browses to a web site using tor and is
    > anonymous. but that web site contains a java applet. java isn't running
    > through tor and makes a direct connection to the web site and there goes
    > that anonymity.


    [Why was this posted twice? Maybe your super uber 1337 nym program is
    busted?]

    Anyways ... anyone concerned with that level of privacy would
    virtualize their OS then pump all IP traffic through the filter.

    .... of course you'd do that if you didn't get all your tech savvy from
    watching Swordfish or playing hacker.

    Tom
     
    , May 13, 2006
    #6
  7. Mike Amling Guest

    Anonymous wrote:
    > On 12 May 2006, wrote:
    >> Tor is enjoying some success among the TCP/IP anonymity seekers. Could
    >> we discuss the security of this system in this thread? Why not
    >> investigating this topic at cryptology, computer/network, and user
    >> levels (the only reason for x-posting this message)?

    >
    >
    > one of the biggest security risks is with users not setting their apps up
    > to work with tor correctly. dns leak is a big issue.
    >
    > or, take java as an example. user browses to a web site using tor and is
    > anonymous. but that web site contains a java applet. java isn't running
    > through tor and makes a direct connection to the web site and there goes
    > that anonymity.


    Java applets, unless they're signed and the user approves the applet
    or has previously approved the signer, use the networking of the browser
    that's running them, which uses the same proxy as for web page requests.

    --Mike Amling
     
    Mike Amling, May 13, 2006
    #7
  8. Mike Amling wrote:

    > Java applets, unless they're signed and the user approves the applet
    > or has previously approved the signer, use the networking of the browser
    > that's running them, which uses the same proxy as for web page requests.


    Which would mean absolutely nothing at all if that applet simply transmits
    your real IP number across that nicely encrypted connection, even if it
    were true.
     
    Borked Pseudo Mailed, May 14, 2006
    #8
  9. Mike Amling Guest

    Borked Pseudo Mailed wrote:
    > Mike Amling wrote:
    >
    >> Java applets, unless they're signed and the user approves the applet
    >> or has previously approved the signer, use the networking of the browser
    >> that's running them, which uses the same proxy as for web page requests.

    >
    > Which would mean absolutely nothing at all if that applet simply transmits
    > your real IP number across that nicely encrypted connection, even if it
    > were true.


    You probably also want to make sure you're running on a machine that
    connects to the Internet through a router that supplies NAT, regardless
    of Java.

    --Mike Amling
     
    Mike Amling, May 14, 2006
    #9
  10. Ludovic Joly Guest

    Mike Amling:
    > You probably also want to make sure you're running on a machine that
    > connects to the Internet through a router that supplies NAT, regardless
    > of Java.


    In this case javascript code or normal java applets can only capture
    the internal address, so the IP address of the gateway remains hidden -
    is that what you mean regarding this issue?
     
    Ludovic Joly, May 15, 2006
    #10
  11. Ludovic Joly wrote:
    > Mike Amling:
    >> You probably also want to make sure you're running on a machine that
    >> connects to the Internet through a router that supplies NAT, regardless
    >> of Java.

    >
    > In this case javascript code or normal java applets can only capture
    > the internal address, so the IP address of the gateway remains hidden -
    > is that what you mean regarding this issue?


    A Java applet can make a direct connection back to the server, the NAT
    will happily translate into your public IP.

    And JavaScript doesn't know anything about your IP address.
     
    Sebastian Gottschalk, May 15, 2006
    #11
  12. Sebastian Gottschalk wrote:

    > Ludovic Joly wrote:
    >> Mike Amling:
    >>> You probably also want to make sure you're running on a machine that
    >>> connects to the Internet through a router that supplies NAT, regardless
    >>> of Java.

    >>
    >> In this case javascript code or normal java applets can only capture the
    >> internal address, so the IP address of the gateway remains hidden - is
    >> that what you mean regarding this issue?

    >
    > A Java applet can make a direct connection back to the server, the NAT
    > will happily translate into your public IP.
    >
    > And JavaScript doesn't know anything about your IP address.


    False. Javascript can call certain Java classes REGARDLESS of whether Java
    is enabled in your browser. It can even make calls to specific Java
    versions if there are multiple versions installed on your machine.
     
    Borked Pseudo Mailed, May 15, 2006
    #12
  13. On Mon, 15 May 2006 15:10:18 +0200, Sebastian Gottschalk wrote:

    > A Java applet can make a direct connection back to the server, the NAT
    > will happily translate into your public IP.
    >
    > And JavaScript doesn't know anything about your IP address.


    Whoa there PonyBoy, ain't so, Javas fully capable of being used to extract
    this and lots of other info/data.
    --
    Drop the alphabet for email
     
    Ari Silverstein, May 15, 2006
    #13
  14. Mike Amling Guest

    Ludovic Joly wrote:
    > Mike Amling:
    >> You probably also want to make sure you're running on a machine that
    >> connects to the Internet through a router that supplies NAT, regardless
    >> of Java.

    >
    > In this case javascript code or normal java applets can only capture
    > the internal address, so the IP address of the gateway remains hidden -
    > is that what you mean regarding this issue?


    Yes. Java, javascript, ActiveX, whatever.

    --Mike Amling
     
    Mike Amling, May 15, 2006
    #14
  15. Mike Amling Guest

    Sebastian Gottschalk wrote:
    > Ludovic Joly wrote:
    >> Mike Amling:
    >>> You probably also want to make sure you're running on a machine that
    >>> connects to the Internet through a router that supplies NAT, regardless
    >>> of Java.

    >> In this case javascript code or normal java applets can only capture
    >> the internal address, so the IP address of the gateway remains hidden -
    >> is that what you mean regarding this issue?

    >
    > A Java applet can make a direct connection back to the server, the NAT
    > will happily translate into your public IP.


    The router does NAT on the IP header, not the TCP data payload. The
    OP is connecting to the server through Tor.

    --Mike Amling
     
    Mike Amling, May 15, 2006
    #15
  16. nemo_outis Guest

    Ari Silverstein <> wrote in
    news:h41iiud09mcy$.1sflm84zf0qzh$:

    > On Mon, 15 May 2006 15:10:18 +0200, Sebastian Gottschalk wrote:
    >
    >> A Java applet can make a direct connection back to the server, the
    >> NAT will happily translate into your public IP.
    >>
    >> And JavaScript doesn't know anything about your IP address.

    >
    > Whoa there PonyBoy, ain't so, Javas fully capable of being used to
    > extract this and lots of other info/data.




    I'll take the liberty of interjecting some additional information into this
    thread and further roil the waters.

    Those who like Tor should also look into I2P. At the grossest level the
    two networks are similar (Tor is currently more mature), but as you'd
    expect there are lots of differences, not all of them subtle, when you look
    more closely.

    However, I must say I'm very encouraged by my experiments with I2P. Using
    both networks (in series or in parallel) opens up even more possibilities.

    Regards,
     
    nemo_outis, May 15, 2006
    #16

  17. >>> And JavaScript doesn't know anything about your IP address.

    >>
    >> Whoa there PonyBoy, ain't so, Javas fully capable of being used to
    >> extract this and lots of other info/data.

    >
    > I'll take the liberty of interjecting some additional information into this
    > thread and further roil the waters.
    >
    > Those who like Tor should also look into I2P. At the grossest level the
    > two networks are similar (Tor is currently more mature), but as you'd
    > expect there are lots of differences, not all of them subtle, when you look
    > more closely.
    >
    > However, I must say I'm very encouraged by my experiments with I2P. Using
    > both networks (in series or in parallel) opens up even more possibilities.
    >
    > Regards, nemo


    Effective, crawls like a 14.4K dialup but effective.


    --
    Drop the alphabet for email
     
    Ari Silverstein, May 15, 2006
    #17
  18. Ari Silverstein wrote:

    >> A Java applet can make a direct connection back to the server, the NAT
    >> will happily translate into your public IP.
    >>
    >> And JavaScript doesn't know anything about your IP address.

    >
    > Whoa there PonyBoy, ain't so, Javas fully capable of being used to extract
    > this


    Java cannot extract your gateway address without breaking out of the
    sandbox which is supposed to be impossible. It can only read your local
    IP address by generating a socket.

    > and lots of other info/data.


    Is "lots" new-speech for "few?

    You cannot even get the screen resolution, something which JavaScript
    can (if you didn't disable this functionality).


    However, there isn't any important and only few pretty unique
    information to extract, so you'll even have a hard hob just
    fingerprinting the system, especially one can easily limit the
    capabilities of JavaScript without breaking relevant functionality.
     
    Sebastian Gottschalk, May 15, 2006
    #18
  19. Mike Amling wrote:

    >>>> You probably also want to make sure you're running on a machine that
    >>>> connects to the Internet through a router that supplies NAT, regardless
    >>>> of Java.
    >>> In this case javascript code or normal java applets can only capture
    >>> the internal address, so the IP address of the gateway remains hidden -
    >>> is that what you mean regarding this issue?

    >>
    >> A Java applet can make a direct connection back to the server, the NAT
    >> will happily translate into your public IP.

    >
    > The router does NAT on the IP header, not the TCP data payload. The OP
    > is connecting to the server through Tor.


    Sadly, a Java applet is free to ignore your proxy settings. So does
    Macromedia Flash's ActionScript.
     
    Sebastian Gottschalk, May 15, 2006
    #19
  20. sign me up Guest

    On 12 May 2006 20:05:37 -0700, wrote:


    >
    >Anyways ... anyone concerned with that level of privacy would
    >virtualize their OS then pump all IP traffic through the filter.


    oooh... virtualize. how trendy and vista ready.
     
    sign me up, May 29, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MiLi
    Replies:
    2
    Views:
    8,456
  2. Mark

    Re: WTF happened to Tor?

    Mark, Jan 5, 2005, in forum: Computer Security
    Replies:
    8
    Views:
    601
    Doctor
    Jan 7, 2005
  3. Arno
    Replies:
    0
    Views:
    374
  4. Sanal Kisi
    Replies:
    2
    Views:
    455
    Leythos
    Nov 30, 2007
  5. smily
    Replies:
    0
    Views:
    1,289
    smily
    Jul 8, 2010
Loading...

Share This Page