[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r13210: proposal from Kevin Bauer & Damon McCoy to reject vulnerable (tor/trunk/doc/spec/proposals)

To: or-cvs@xxxxxxxxxxxxx
Subject: [or-cvs] r13210: proposal from Kevin Bauer & Damon McCoy to reject vulnerable (tor/trunk/doc/spec/proposals)
From: arma@xxxxxxxx
Date: Mon, 21 Jan 2008 11:57:12 -0500 (EST)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-cvs-outgoing@xxxxxxxx
Delivered-to: or-cvs@xxxxxxxx
Delivery-date: Mon, 21 Jan 2008 11:57:19 -0500
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-cvs@xxxxxxxxxxxxx

Author: arma
Date: 2008-01-21 11:57:12 -0500 (Mon, 21 Jan 2008)
New Revision: 13210

Added:
   tor/trunk/doc/spec/proposals/129-reject-plaintext-ports
Log:
proposal from Kevin Bauer & Damon McCoy to reject vulnerable-plaintext
ports (reformatted by me)


Added: tor/trunk/doc/spec/proposals/129-reject-plaintext-ports
===================================================================
--- tor/trunk/doc/spec/proposals/129-reject-plaintext-ports	                        (rev 0)
+++ tor/trunk/doc/spec/proposals/129-reject-plaintext-ports	2008-01-21 16:57:12 UTC (rev 13210)
@@ -0,0 +1,90 @@
+Below is a proposal to mitigate insecure protocol use over Tor.
+
+Title: Block Insecure Protocols by Default
+Author: Kevin Bauer & Damon McCoy
+Date: January 15, 2008
+
+Overview:
+
+  This document 1) demonstrates the extent to which insecure protocols are
+  currently used within the Tor network, and 2) proposes a simple solution
+  to prevent users from unknowingly using these insecure protocols. By
+  insecure, we consider protocols that explicitly leak sensitive user names
+  and/or passwords, such as POP, IMAP, Telnet, and FTP.
+
+Motivation:
+
+  As part of a general study of Tor use in 2006/2007 [1], we attempted to
+  understand what types of protocols are used over Tor. While we observed a
+  enormous volume of Web and Peer-to-peer traffic, we were surprised by the
+  number of insecure protocols that were used over Tor. For example, over an
+  8 day observation period, we observed the following number of connections
+  over insecure protocols:
+
+    POP and IMAP:10,326 connections
+    Telnet: 8,401 connections
+    FTP: 3,788 connections
+
+  Each of the above listed protocols exchange user name and password
+  information in plain-text. As an upper bound, we could have observed
+  22,515 user names and passwords. This observation echos the reports of
+  a Tor router logging and posting e-mail passwords in August 2007 [2]. The
+  response from the Tor community has been to further educate users
+  about the dangers of using insecure protocols over Tor. However, we
+  recently repeated our Tor usage study from last year and noticed that the
+  trend in insecure protocol use has not declined. Therefore, we propose that
+  additional steps be taken to protect naive Tor users from inadvertently
+  exposing their identities (and even passwords) over Tor.
+
+Security Implications:
+
+  None. This proposal is intended to improve Tor's security by limiting the
+  use of insecure protocols.
+
+Specification:
+
+  As an initial step towards mitigating the use of the above-mentioned
+  insecure protocols, we propose that the default ports for each respective
+  insecure service be blocked at the Tor client's socks proxy. These default
+  ports include:
+
+    23 - Telnet
+    109 - POP2
+    110 - POP3
+    143 - IMAP
+
+  Notice that FTP is not included in the proposed list of ports to block. This
+  is because FTP is often used anonymously, i.e., without any identifying
+  user name or password.
+
+  This blocking scheme can be implemented as a set of flags in the client's
+  torrc configuration file:
+
+    BlockInsecureProtocols 0|1
+    WarnInsecureProtocols 0|1
+
+  When the warning flag is activated, a message should be displayed to
+  the user similar to the message given when Tor's socks proxy is given an IP
+  address rather than resolving a host name.
+
+  We recommend that the default torrc configuration file block insecure
+  protocols and provide a warning to the user to explain the behavior.
+
+  Finally, there are many popular web pages that do not offer secure
+  login features, such as MySpace, and it would be prudent to provide
+  additional rules to Privoxy to attempt to protect users from unknowingly
+  submitting their login credentials in plain-text.
+
+Compatibility:
+
+  None, as the proposed changes are to be implemented in the client.
+
+References:
+
+  [1] Shining Light in Dark Places: A Study of Anonymous Network Usage.
+      University of Colorado Technical Report CU-CS-1032-07. August 2007.
+
+  [2] Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise.
+      http://www.wired.com/politics/security/news/2007/09/embassy_hacks.
+      Wired. September 10, 2007.
+


Property changes on: tor/trunk/doc/spec/proposals/129-reject-plaintext-ports
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id
Name: svn:eol-style
   + native

Prev by Author: [or-cvs] r13198: New config options WarnPlaintextPorts and RejectPlaintextPor (in tor/trunk: . doc/spec src/or)
Next by Author: [or-cvs] r13211: condense the rest of the discussion into proposal 129 (tor/trunk/doc/spec/proposals)
Previous by thread: [or-cvs] r13209: Create logfiles in logrotate so that they come into the worl (tor/trunk/debian)
Next by thread: [or-cvs] r13211: condense the rest of the discussion into proposal 129 (tor/trunk/doc/spec/proposals)
Index(es):
- Author
- Thread