[tor-talk] responsibility for enforcing secure Tor usage

[Isidor Zeuner <onions@xxxxxxxxxxx>]

Hi there,

I was thinking about possible improvements for how setups using Tor
enforce secure (privacy-concious) usage of Tor.

Consider for example torsocks. If I use torsocks in order to connect
to a Tor daemon, torsocks will prevent the application from doing DNS
queries. But if it didn't, the Tor circuits it initiated could be
considered as "tainted" because an attacker could correlate the DNS
traffic with the traffic coming from the exit node.

This is probably well-known, but what struck me is that it's
torsocks which does the important work here. Any client software which
has access to the Tor daemon would have the option to taint the Tor
daemon.

So, why not improve the security by using modern operating system
security mechanisms? Using granular capability-based access controls,
the operating system can prevent processes from accessing both Tor and
non-Tor sockets. Furthermore, communication between Tor-based and
non-Tor-based network clients can be restricted. Ideally, it should be
possible to create a system where only Tor and the access control
policy must be audited in order to be sure that attacks based on
correlating Tor and non-Tor connections cannot be applied.

I know that for many setups, this would mean additional effort on the
operating system layer, but the general interest in security is
becoming larger, so I could imagine that efforts like this can attract
some user and developer dedication.

Any comments are appreciated.

Best regards,

Isidor
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk