[Noisebridge-discuss] Transparent Tor-ification

Thu Mar 18 08:04:48 UTC 2010

On Wed, Mar 17, 2010 at 6:45 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> If you've ever seen OpenDNS resolution, it means that some exit node you
> used was configured to resolve DNS requests via the OpenDNS resolver.
> They could also have been configured to use 4.2.2.2 or 208.201.224.11 or
> something else. It's not a Tor Project choice, it's sysadmin for the
> give exit node choice.

I was not aware of that; thank you for the correction.

Evidently it's a very common choice, at least. (It's evidenced also
when using e.g. the default "enter search keywords as a psuedo-url"
functionality - I always get openDNS' web search page while using
torbutton.)

>> But that is definitely NOT adequate to prevent data leakage that's
>> more than enough to practically compromise your anonymity.
>
> Torbutton is important to protect against application level identification.

Which is why I recommended it! I was saying that *Tor* by itself is
not adequate for this, which is why Torbutton supplements it with
header scrubbing, browser configuration normalization, etc.

I'm consistently distinguishing Tor from Torbutton (because we're
talking about an AP that provides the  functionality of the former but
not the latter).

>> Tor is no panacea; it just makes you look like you're coming from some
>> random IP, and IPs are only one way to identify people. *
>
> That's true. You have to define your threat model very clearly. However,
> Tor doesn't "just make you look like you're coming from some random IP"
> and to deride it as such is perhaps counter productive...
>
> It's used as a privacy tool, it's used to resist traffic analysis from
> active monitoring, it's used to circumvent filtering, etc.

Sorry, I didn't mean to be derisive at all. Certainly it has all those
excellent uses, and there are lots of different threat models to
consider.

I was speaking only from the perspective of a website operator, not
other attacks.

And yes, Tor*button* protects against the browser history attack
(which is excellent). *Tor* does not, which is why I was saying that
an application level filter is mandatory if you want anonymity from
websites.

> How does it cover all of it? That's a doozy of a statement. Unless
> you've got a kernel level filter, it's going to be _really_ hard to make
> that statement true. Especially against motivated attackers!

IIRC, Proxifier installs something as root that does this. There might
be some channels that leak, but I haven't found any. It's not an
extension, it's a full app.

It explicitly does not rely on any kind of system proxy settings or
applications' respect thereof AFAICT. If it's turned on, everything is
forced through the proxy - including command line tools, all apps,
etc. - without any restart thereof.

I don't know the details of its install mechanism though, so if you
want to know *how* it works you should check
http://www.proxifier.com/documentation.htm or contact the developer at
support at proxifier.com.

>> And if you are signed in to something, then of course you already lost
>> 'cause you're *telling them*. :-P
>
> I disagree.

You disagree about a different scope though. "Lost" here, again, means
with respect to the website in question. If they know who you are ...
they know who you are. Duh.

That doesn't mean you're less protected against various other attacks,
like ones against your local computer's traffic.

> Browsers have lots of fingerprinting attributes. You cannot surf the web
> anonymously and safely without Torbutton.

Which, again, is why I originally suggested that it's required, on top
of just tor/privoxy. ;-)

- Sai