[Noisebridge-discuss] Transparent Tor-ification
Jacob Appelbaum
jacob at appelbaum.net
Thu Mar 18 01:45:43 UTC 2010
( I work on Tor professionally - consider this a disclaimer :-) )
Sai Emrys wrote:
> On Wed, Mar 17, 2010 at 3:39 AM, Rubin Abdi <rubin at starset.net> wrote:
>> Re: Leaking data via DNS, javascript, headers, etc, that's not possible
>> if all traffic is being routed through Tor, which it is if I'm to
>> understand it correctly.
>
> I'm not sure whether a torified AP would prevent DNS leaks;
Why wouldn't you be sure of that?
> I suppose
> it depends on whether the client takes its suggestion for a DNS
> provider. (This is why torbutton reroutes dns requests over tor to
> opendns.) Let's be generous and say it will.
>
Uh. What ever do you mean? Torbutton does not reroute DNS requests over
Tor to OpenDNS.
Torbutton configures Firefox to properly work with privoxy, polipo, and
or Tor's SOCKS interface. Additionally, it protects against application
layer attacks. Please consider reading the Torbutton design document:
https://www.torproject.org/torbutton/design/
If you want to understand how Tor protects DNS requests, I suggest you
read these (grep for DNS):
http://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=doc/spec/tor-spec.txt
http://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=doc/spec/socks-extensions.txt
Note that when you use the SOCKS4A or SOCKS5 interface, you can pass in
a host name. You may also resolve the hostname via these interfaces. Tor
does not transport UDP but it does have limited support for DNS
resolution in the protocol itself. This traditionally happens at the
edge of the network. This means that an exit node will do the actual
resolution for you. You simply ask Tor for the name resolution (forward
or reverse) as a client...
If you've ever seen OpenDNS resolution, it means that some exit node you
used was configured to resolve DNS requests via the OpenDNS resolver.
They could also have been configured to use 4.2.2.2 or 208.201.224.11 or
something else. It's not a Tor Project choice, it's sysadmin for the
give exit node choice.
> But that is definitely NOT adequate to prevent data leakage that's
> more than enough to practically compromise your anonymity.
>
Torbutton is important to protect against application level identification.
> People like me (http://cssfingerprint.com) and other researchers
> (http://panopticlick.eff.org,
> http://www.iseclab.org/people/gilbert/experiment/, etc) can derive a
> lot of information about you without knowing your IP, which is
> (mostly) all that Tor itself hides. That information can very easily
> be used to both psuedonymously fingerprint you (like I currently do)
> or to fully deanonymize you (like iSecLab's experiment does).
>
Torbutton protects against this. However, please read the following urls:
https://www.torproject.org/download.html.en#Warning
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers
> Tor is no panacea; it just makes you look like you're coming from some
> random IP, and IPs are only one way to identify people. *
>
That's true. You have to define your threat model very clearly. However,
Tor doesn't "just make you look like you're coming from some random IP"
and to deride it as such is perhaps counter productive...
It's used as a privacy tool, it's used to resist traffic analysis from
active monitoring, it's used to circumvent filtering, etc. The list of
uses is pretty long. I suggest you read these documents:
https://www.torproject.org/overview.html.en
https://www.torproject.org/torusers.html.en
>>> Firefox + TorButton (+ Proxifier to cover other traffic sources)
>>> covers at least the first one. :-P
>> This setup works if you only care about http/web traffic, and have
>> Firefox setup correctly, and aren't running any extensions that don't
>> care about your proxy settings, and stay away from java and anything
>> else embedded, and live on the Google Opt Out Island.
>
> Actually, Proxifier covers all the other traffic AFAICT (including DNS
> proxying), whether or not something wants to obey the proxy settings.
> But again, all the above applies; proxies (like Tor) are only one
> slice of privacy defense.
>
How does it cover all of it? That's a doozy of a statement. Unless
you've got a kernel level filter, it's going to be _really_ hard to make
that statement true. Especially against motivated attackers!
See this:
https://www.torproject.org/torbutton/faq.html.en#noflash
> And if you are signed in to something, then of course you already lost
> 'cause you're *telling them*. :-P
>
I disagree.
People use Tor for reachability and traffic analysis resistance reasons.
I don't care that Twitter knows that one of my nyms is logging in from
Tor. I do care that the local sniffing client can't see who my nym is -
I also care that I can reach Twitter while being filtered. I also care
that I can have location anonymity from the anonymity network itself, etc.
> - Sai
>
> * Incidentally, they're not even always a good way. IMPE I've dealt
> with ISP-level NATs, some with effective monopolies on small countries
> (like the UAE, IIRC), that make everyone there look like they're on
> the same IP. Still a fair amount of information, but not enough to
> fully identify someone.
Browsers have lots of fingerprinting attributes. You cannot surf the web
anonymously and safely without Torbutton. Most other "anonymity"
solutions don't even have anything that comes close to the protections
of Torbutton; This speaks nothing of the so called "anonymity" networks
themselves. In any case, Tor is used for a lot more than browser
privacy. Many other protocols are less fraught with such crazy client
side danger.
Best,
Jake
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20100317/34fac0da/attachment-0003.sig>
More information about the Noisebridge-discuss
mailing list