[Noisebridge-discuss] Transparent Tor-ification

Jacob Appelbaum jacob at appelbaum.net
Thu Mar 18 08:20:03 UTC 2010 

Sai Emrys wrote:
> On Wed, Mar 17, 2010 at 6:45 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> If you've ever seen OpenDNS resolution, it means that some exit node you
>> used was configured to resolve DNS requests via the OpenDNS resolver.
>> They could also have been configured to use 4.2.2.2 or 208.201.224.11 or
>> something else. It's not a Tor Project choice, it's sysadmin for the
>> give exit node choice.
> 
> I was not aware of that; thank you for the correction.
> 
> Evidently it's a very common choice, at least. (It's evidenced also
> when using e.g. the default "enter search keywords as a psuedo-url"
> functionality - I always get openDNS' web search page while using
> torbutton.)

I think something is wrong there. You should show us which nodes are
doing this and we should fix them. We have code to detect DNS providers
that return lies. Perhaps you've created some corner case?

> 
>>> But that is definitely NOT adequate to prevent data leakage that's
>>> more than enough to practically compromise your anonymity.
>> Torbutton is important to protect against application level identification.
> 
> Which is why I recommended it! I was saying that *Tor* by itself is
> not adequate for this, which is why Torbutton supplements it with
> header scrubbing, browser configuration normalization, etc.

Ah. Gotcha.

> 
> I'm consistently distinguishing Tor from Torbutton (because we're
> talking about an AP that provides the  functionality of the former but
> not the latter).

I'd personally never use it for web browsing without Torbutton. I've
actually been discussing this setup with Mike Perry (the author of
Torbutton) and he suggests simply configuring Torbutton without proxies
(leave the fields blank) and it should be ready to go.

> 
>>> Tor is no panacea; it just makes you look like you're coming from some
>>> random IP, and IPs are only one way to identify people. *
>> That's true. You have to define your threat model very clearly. However,
>> Tor doesn't "just make you look like you're coming from some random IP"
>> and to deride it as such is perhaps counter productive...
>>
>> It's used as a privacy tool, it's used to resist traffic analysis from
>> active monitoring, it's used to circumvent filtering, etc.
> 
> Sorry, I didn't mean to be derisive at all. Certainly it has all those
> excellent uses, and there are lots of different threat models to
> consider.
> 

Right on.

> I was speaking only from the perspective of a website operator, not
> other attacks.


Ah. Well, that's not the only place to consider.

> 
> And yes, Tor*button* protects against the browser history attack
> (which is excellent). *Tor* does not, which is why I was saying that
> an application level filter is mandatory if you want anonymity from
> websites.
> 

Sure.

>> How does it cover all of it? That's a doozy of a statement. Unless
>> you've got a kernel level filter, it's going to be _really_ hard to make
>> that statement true. Especially against motivated attackers!
> 
> IIRC, Proxifier installs something as root that does this. There might
> be some channels that leak, but I haven't found any. It's not an
> extension, it's a full app.
> 

I'd be curious to see how it works.

> It explicitly does not rely on any kind of system proxy settings or
> applications' respect thereof AFAICT. If it's turned on, everything is
> forced through the proxy - including command line tools, all apps,
> etc. - without any restart thereof.

It's possible that it's done with something like LD_PRELOAD or dynamic
function overloading on Mac OS X.

> 
> I don't know the details of its install mechanism though, so if you
> want to know *how* it works you should check
> http://www.proxifier.com/documentation.htm or contact the developer at
> support at proxifier.com.

It seems to be non-free software without source code. That's a shame.

> 
>>> And if you are signed in to something, then of course you already lost
>>> 'cause you're *telling them*. :-P
>> I disagree.
> 
> You disagree about a different scope though. "Lost" here, again, means
> with respect to the website in question. If they know who you are ...
> they know who you are. Duh.

No. They know who you claim to be for that stream, for that circuit, for
whatever value of you is you...

> 
> That doesn't mean you're less protected against various other attacks,
> like ones against your local computer's traffic.

Of course not.

> 
>> Browsers have lots of fingerprinting attributes. You cannot surf the web
>> anonymously and safely without Torbutton.
> 
> Which, again, is why I originally suggested that it's required, on top
> of just tor/privoxy. ;-)
> 

Tor and Torbutton should be fine. Privoxy and Polipo are only needed for
caching and dealing with The Great Firefox SOCKS Proxy Bug. If it wasn't
for that bug, Firefox would be reasonable and not lock up all the time.
You really wouldn't need the proxy at all if they'd just ship a fix for it.

Best,
Jake

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20100318/5c36794f/attachment-0003.sig>

More information about the Noisebridge-discuss mailing list