[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Torpark and security

As far as I can tell, the SSL stuff is wrapped in TLS before going over TOR, so no -- you wouldn't see the original IP (there are other ways, like with Javascript or flash, to get this information -- so hopefully you're running Firefox + NoScript + Flashblock at a minimum)

As for getting the logs, there aren't any (unless you turn on debugging) -- and firewall logs (et.al) can be configured to ignore the TOR server.

I am (for example) running syslog-ng on our firewall logs. My TOR server is, thus my syslog-ng filter entry for firewall stuff looks like this :

filter f_firewall { host(firewall) and not match("137\\.148\\.5\\.13\\ Accessed\\ URL") \
and not match("137\\.148\\.5\\.13\\/") and \
not match("Accessed\\ URL\\ 137\\.148\\.5\\.13"); };

Therefore, nothing from the TOR box gets logged anywhere (this also omits directory requests inbound to the TOR server). Argus is similarly configured via a BPF expression.

IMNAL, but I think that makes my traffic data pretty subponea-proof, since I can honestly say under oath that it dosen't exist (albeit intentionally). There's no law that says I can't selectively ignore something in the logs -- provided I haven't already been told to do it (eg: such a configuration AFTER receiving a subponea would be illegal).


Michael Holstein CISSP GCIA
Cleveland State University