[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exit-node keeps .$mynode.exit in dns name



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you for the information. I'll reconfigure Squid to strip some
heades off, that should help.

I'll also add some options transparent redirect so it only redirects
http-traffic. Squid saves a lot of bandwidth every month even that I
recreate cache every time Squid is restarted.

Squid's cache and logs are encrypted with random key (/dev/urandom)
using aes256. Every time Squid stops file containing encypted fs is
umounted and cryptsetup deletes that device. A new encrypted loop device
is created when Squid starts. Also / and swap are encrypted, the only
partition that isn't is /boot. So squids cache and logs are contained in
encrypted container that resides on encrypted partition. Should be
pretty safe? I could not hand out keys to squids logs and cache event if
I wanted to because key is derived from /dev/urandom.

M


tup wrote:
> On 5/15/07, M <maillist@xxxxxxxxxxxx> wrote:
>> My problem is following: I typed http://whitehouse.gov.$mynode.exit
>> (where
>> $mynode was my exit nodes name) in address bar, waited a moment and got
>> following error message from the server running transparent Squid proxy:
> 
> What's happening is that your Tor client strips the .$mynode.exit suffix
> before initiating a stream through an exit node. At the exit node, Tor
> resolves whitehouse.gov and tries to connect to it, but your packet filter
> redirects the connection to Squid. Squid then looks up the original
> destination address and ignores it, preferring to use the HTTP host header
> specifying whitehouse.gov.$mynode.exit.
> 
> If I understand correctly, Privoxy has an option to strip the
> .$mynode.exit suffix from host headers. This is something you'd want to
> do next to your Tor client.
> 
> This does raise the issue of exit nodes redirecting HTTP streams
> (and even non-HTTP port 80 traffic) through transparent caching proxies.
> If people know exit nodes are logging not only "connection" data, but also
> actual content of traffic they relay, exit nodes become a more valuable
> target for attackers.
> 
> Also, since HTTP proxies won't pass non-HTTP traffic (setting aside
> CONNECT, which is part of HTTP), it seems these exit nodes are lying in
> their exit policies. They claim to allow port 80, but non-HTTP streams on
> port 80 will fail unexpectedly.
> 
> tup
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGSs4n6fSN8IKlpYoRAuFfAJ9pEk89Uma6H5M3rL7U4tL5WY53yACcC9hq
PT1BwuknUKxpO2Qh1Z7uHEM=
=OZbd
-----END PGP SIGNATURE-----