[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Fwd: Re: Library Defeats Tor

To: mark485anderson@xxxxxx, or-talk@xxxxxxxxxxxxx
Subject: Re: Fwd: Re: Library Defeats Tor
From: Scott Bennett <bennett@xxxxxxxxxx>
Date: Fri, 28 Sep 2007 23:57:17 -0500 (CDT)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sat, 29 Sep 2007 00:57:52 -0400
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
     On Fri, 28 Sep 2007 15:06:48 -0700 mark485anderson@xxxxxx wrote:

>On Fri, 28 Sep 2007 15:02:53 -0700, mark485anderson@xxxxxx said:
>> 
>> On Thu, 27 Sep 2007 21:20:42 -0500 (CDT), "Scott Bennett"
>> <bennett@xxxxxxxxxx> said:
>> >      On Thu, 27 Sep 2007 19:05:27 -0700 mark485anderson@xxxxxx wrote:
>> > 
>> > >On Thu, 27 Sep 2007 19:52:30 -0500 (CDT), "Scott Bennett"
>> > ><bennett@xxxxxxxxxx> said:
>> > >>      On Thu, 27 Sep 2007 20:35:58 -0400 Watson Ladd
>> > >>      <watsonbladd@xxxxxxxxx>
>> > >> wrote:
>> > >> >mark485anderson@xxxxxx wrote:
>> > >> >> Then after agreeing to the TOS, you are able to connect to tor servers,=
>> > >> >
>> > >> >> but all dns requests go through a library computer IP, such that they
>> > >> >> can see and record where you are going. I am not sure if they can see
>> > >> >> the TCP content, but the UDP (which I assume is the dns lookups are all=

     What does your firewall software or other tool at your disposal have to
say about the TCP packets from your browser?  Do they go to privoxy?  And
where does it say that packets from privoxy go?  To your tor client?  Somewhere
else?

>> > >> >> being monitored and probably logged by the library server through which=
>> > >> >
>> > >> >> you are connected. Firewall logs clearly show the outgoing and incoming=
>> > >> >
>> > >> >> DNS packets to the library IP. Rest of connections to Tor servers in th=
>> > >> >e
>> > >> >> firewall log appear normal.

     Just to confirm:  your firewall log shows that the UDP packets in
question are destined to some IP address and port 53?

>> > >> >Make sure to run DNS queries over tor if anonymity is important.
>> > >> 
>> > >>      Absolutely.  Check your privoxy configuration file to make sure its
>> > >> first line is
>> > >> 
>> > >> forward-socks4a / localhost:9050 .
>> > >
>> > >already is
>> > >
>> >      Okay.  Good.
>> > >> 
>> > >> If you're using some other port than 9050, change that accordingly. 
>> > >> Other
>> > >> programs, e.g. PuTTY, will need to be configured, too, if you use them.
>> > >> In the case of PuTTY, each remote login site that you configure to be
>> > >> proxied through tor will need to be set to use socks5 and to do DNS name
>> > >> lookups at the proxy end (see "Proxy" under "Connection").
>> > >> 
>> > >> >>=20
>> > >> >> I have not run a sniffer yet on this, because my laptop is old and it
>> > >> >> might not be able to handle it. But tor anonymity is obviously shot whe=

     Your laptop, old though it may be, apparently has no trouble handling
wireless IP traffic, so I would bet that a sniffer storing, say, only UDP
packets to port 53 wouldn't overtax it.
>> > >> >n
>> > >> >> connecting to their wifi nodes. I believe I tried to block the DNS
>> > >> >> lookups to the Library IP with privoxy generic block rules and then I\

     Because I don't know how that works in privoxy, I'll ask, does your
firewall allow you to block outbound UDP packets to port 53?  If so, what
happens if you block them that way instead of via privoxy?

>> > >> >Using socks-4a should fix this.
>> > >
>> > >already set to sock 4a
>> > >
>> > >> 
>> > >>      Right.  Or socks5, though privoxy doesn't yet appear to support
>> > >>      that.
>> > >
>> > >did you just start using tor?
>> > >
>> >      About 2.5 years so far.
>> > >> 
>> > >> >> could not load any web pages, indicating again that the dns requests ar=
>> > >> >e
>> > >> >> first being routed to the library machine, where they are, of course,
>> > >> >> logged (and maybe sent off to the FBI, if your reading muslim materials=
>> > >> >,
>> > >> >> haha).
>> > >> >Now are these DNS requests for sites you are browsing? It sounds like
>> > 
>> >      I think the question posed here may reveal the answer.
>> 
>> Already answered that I think, the dns requests APPEAR to be made each
>> time a new url is looked up and not in looking up tor servers, but I
>> will only know for certain when I run the sniffer, if that is possible
>> on my laptop.
>> 
     As long as your wireless interface (and its driver) can run in
promiscuous mode, a sniffer ought to work okay.  Some systems may well be
able to trap outbound packets without an actual sniffer.  On most/all UNIX
systems, you will need root privileges, too, to run tools like tcpdump(1).
>> 
>> > 
>> > >> >that is the case, but I just want to make sure.
>> > >> 
>> > >>      Most public wireless locations use no encryption at all.  In these
>> > >> situations, things like tor and SSH are about the only significant
>> > >> privacy
>> > >> protection most users have.
>> > >
>> > >no problem with tor and other wifi connections, dns goes to tor, hence
>> > >my OP title LIBRARY DEFEATS TOR
>> > >Tentative Conclusion: Tor cannot be used with any confidence on
>> > >publically maintained machines, but there is no reference to this on the
>> > >tor website; nor any real illumination from this group, so far.  I
>> > >suppose now someone is going to tell me to disable javascript and

     Actually, that's probably worth a shot, given recent postings by the
author of Torbutton.  It's also trivial to do if you have the Quick Java
and/or NoScript plugins installed in firefox.

>> > >cookies, ;-) The encryption is SUPPOSED to occur at the client before it

     Cookies are just data.  They do not execute and therefore do not query
name servers, so I wouldn't think that would be worth bothering with.

>> > >even gets to any outside server, but obviously this is not happening as
>> > >the dns requests are being subverted. Perhaps the traffic is being
>> > >shuttled from the kernel OS to a library server. IOW tor should provide
>> > >the encryption necessary and no wifi encryption should be needed. I will
>> > >see if I can run a sniffer to find out exactly what's happening.
>> > >
>> >      Yes, and I think that may be why Watson asked the question I noted
>> > above.  Tor does its own name server queries for two purposes:  1) to
>> > provide exit service when running in server mode, 2) to look up addresses
>> > of other tor servers, regardless of mode.  These are normal operations
>> > and reveal only those activities.  When you are using it in a public
>> > location, I assume that it is running only as a client.  So that returns
>> > us to the question of exactly what kinds of addresses is tor looking up?
>> 
>> the laptop appears to be getting web site dns translations from a
>> library node rather than from tor, which allows tracking and profiling.
>> each time a new url is introduced I get a firewall dns request in the
>> log.
>> 
>> > Are they only the addresses of other tor servers?  Or do they also
>> > include the addresses of the web sites you're trying to reach?
>> >      Would you also please double check your browser configuration to
>> > make sure it is forwarding everything through privoxy?  If you're using
>> > a firefox plug-in module like Torbutton, switchproxy, or foxyproxy, have
>> > you accidentally disabled the proxy?
>> 
>> nope, don't use those, the browser is always set to go through privoxy.
>> will do some further testing and try to report back, but suprised not
>> more answers to this post. certainly others should have experienced this
>> problem.
>> 
     I guess that's the point:  we haven't experienced it, which is why
we've been asking questions to try to debug the problem.  Here are more.

	1) Are you using a Microslop operating system?  If so, which?
	And if not, then which operating system and version are you using?

	2) What is the firewall software that you have referred to several
	times?

	3) Which version of tor are you running?

	4) Which browser and version are you using?

	5) Under the assumption for the moment that your connection to the
	wireless attach point gets configured by DHCP, which IP address(es)
	got assigned to your system for its own address, for an IP gateway,
	and for name server(s) to be used?

     I keep having the feeling that what you think is happening differs from
what is actually happening and/or something misconfigured somehow is being
overlooked.  Please be patient with us.  We're trying to help figure out
what's going on, and you're the only one who can provide the observational
data that might lead to a solution.  If it seems like we are just grabbing
at straws so far, rest assured that we aren't there yet and can't get there
until we first have at least the basic facts of the case established.  ;-)
     Anyone else with pertinent questions, please join in!


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************
Follow-Ups:
- Re: Fwd: Re: Library Defeats Tor
  - From: mark485anderson
Prev by Author: funneling a wireless net's outbound connections through tor
Next by Author: sequence of reachability testing for DirPort and ORPort
Previous by thread: Fwd: Re: Library Defeats Tor
Next by thread: Re: Fwd: Re: Library Defeats Tor
Index(es):
- Author
- Thread