Re: TorPark (was Re: Win32.Trojan.Agent appear when close Torpark)

[Roger Dingledine <arma@xxxxxxx>]

On Mon, Nov 13, 2006 at 09:45:56AM -0600, Arrakistor wrote:
> Secondly,  I  doubt  you  will  ever  see  Torpark endorsed by the Tor
> developers,  but  not  for  a  lack  of  merit, security, open source,
> documentation,  or  licensing  compliance; which have all been phantom
> claims against it.

Hi Steve,

I'm about to run off to catch a flight, so I'll keep this brief.
In short, I still don't know what's in Torpark, and why. Here's what
would make me happier about it:

1) Tell us what's inside it. There are two steps to this:

First, document how to recreate the Torpark binary. If I took your NSI
file and the plugin you ship and put them together with an out-of-the-box
Firefox, would I end up with the same thing? I'm under the impression
that the answer is no. For example: you've hinted periodically that you
do things like turn off Javascript. At what stage in the build do you
make these changes? Is there a Firefox config file that you merge in,
and if so can you make that available too?

Second, document exactly what you change, and why. For example: if you
turn off Javascript, write that down, and write two sentences next to it
that say "This is because of fears that Javascript can reveal the user's
IP address. Alas, turning it off also breaks some websites." Exactly
which other config options are changed?

2) Tell us more about what resources Torpark accesses on the host
system. For example: does it use swap on the host hard drive? Does it
encrypt that swap? Does it add any lines to the registry, and if so which
ones? Does this vary by version of Windows? If there are resources that
it *doesn't* touch but people might think it does, mention those too
and provide some intuition for why it doesn't.

2') What Tor configuration do you use? Is your DataDirectory on the USB
key, or on the host system? What are the security, speed, convenience
(and durability of USB media) issues for each choice?

3) Tell us more about the plugin(s) you ship. What exactly do they do?
How are they configured?
For example: I seem to recall a line on the website saying that the "live
IP" plugin is configured to make a new connection through Tor once every
minute, forever? But I can't find that documented anywhere now. If it's
true, then Torpark is adding a huge amount of extra load to the network,
since every Torpark user will be building a new circuit every 10 minutes
whether they're at their computer or not.
Another example: is NoScript included? I don't see that anywhere in the
source, or the documentation, so I guess that it isn't, but in personal
mail you told me it is?

4) Explain the design choices for which plugins you included, what
configuration choices you made, etc. Explain the design choices for cases
where you decided *not* to use a given plugin, configuration change, etc.
For example, "we avoid the Frobnitzer plugin because it sends packets out
onto the local network." As another example, do you include or exclude
the Adobe PDF plugin, since it's rumored to ignore proxy settings?

Then I would like some security analysis and intuition. The great thing
here is that if you do the above steps, you're no longer the only one
in the position to do these next steps. Hopefully other people will step
up and help out:

5) Explain what security issues there are with a USB configuration of Tor,
and with the particular configuration and design choices that Torpark
has made. A lot of these are inherited from Tor (a distinctive network
signature, for example). Some might be new to Torpark (for example, if you
shipped a plugin that did a local DNS resolve of every destination people
type into Firefox, so it can display the IP address of the destination --
I'm not saying you ship this, but I honestly am not sure.)

In all of these steps, I don't expect everything to be perfectly secure.
Document what it is right now, and make notes about parts you're worried
about or parts that you'd like to fix more thoroughly. Once other people
know what is there currently, then we can help to make suggestions and
point out other worries and possible flaws.

Please don't send a long answer to or-talk with responses to each of
these paragraphs. Instead, write up a text file with the answers, and
link to it from the Torpark website, and include it in the source and
the Torpark package itself, and tell us about it. Then you can continue
to maintain and improve it as things change.

>  I will continue to develop
> it,  and  a new release is waiting in the wings, with some awesome new
> features  like auto-update and a broadband-speed anonymization network
> that  solves  the  trust  issue  of  multiple  exit nodes sniffing the
> traffic.

As another example, we haven't added an auto-update feature to Tor
yet because there are a huge pile of security issues that need closer
analysis: automatically installing software via Tor while retaining
security and anonymity, and not introducing new attacks (Auto-update
from where? With what key? How do you rotate it? Who controls it?),
is a heck of a problem.

I fear that if you simply announce the one-liner "now we have
auto-update" ... I'm going to be writing another of these mails. :)

Hope this helps,
--Roger