[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: BlockNumericIPRequests patch (fwd)

To: or-dev@xxxxxxxxxxxxx
Subject: Re: BlockNumericIPRequests patch (fwd)
From: Roger Dingledine <arma@xxxxxxx>
Date: Sat, 18 Mar 2006 01:27:40 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-dev-outgoing@seul.org
Delivered-to: or-dev@seul.org
Delivery-date: Sat, 18 Mar 2006 01:27:43 -0500
In-reply-to: <Pine.LNX.4.64.0603121956020.21674@pl2.zayda.com>
References: <Pine.LNX.4.64.0603102150140.17321@pl2.zayda.com> <20060312190834.GW15157@localhost.localdomain> <Pine.LNX.4.64.0603121956020.21674@pl2.zayda.com>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: Mutt/1.5.9i

On Sun, Mar 12, 2006 at 10:16:41PM +0000, Jason Holt wrote:
> >First, we already have a TestSocks config option:
>
> Actually, is it even necessary now that it always warns about IP-only 
> connections?

TestSocks does something more than that -- it gives you a log message
when you are using a safe socks variant also. This is important because
of the third case -- you think you're using Tor safely but you're not
using Tor at all.

> >Second, even with your patch, an application using the wrong socks
> >version will do the DNS resolve, and then fail to work. So in a sense
> >it is broken in *both* respects now. Is this better behavior than before?
> 
> Certainly, it's a tradeoff which must be evaluated.  The fact that my 
> option doesn't catch the problem until the DNS lookup has already happened 
> is significant, and I've been thinking it should be documented.  The option 
> could also cause mysterious problems in applications that don't always do a 
> DNS lookup (bittorrent, perhaps?).

Not necessarily -- the warnings are for when you use socks4 or the wrong
variant of socks5, not for when an IP address is given to Tor rather
than a hostname. So it doesn't affect this if the application sometimes
resolves it and sometimes doesn't.

> OTOH, in most cases, users would 
> presumably not make their very first connection to a sensitive site after 
> installing a new app or changing a configuration.

True.

> And, of course, it could be a significant advantage to have proactive 
> rejection of potentially dangerous connections rather than leaving a log 
> entry which may go unnoticed.  Users are notoriously bad about auditing log 
> entries.

Also true.

I had originally thought to merge TestSocks and this new variable, so
we have for example a tristate "ignore", "warn", "reject", but TestSocks
is more than just "ignore or warn", as I describe above.

So I propose that we add a new config option SafeSocks that does as you
describe -- when set to 1, it refuses connections that are using the
unsafe variants of socks. It defaults to 0. Sound like what everybody
wants?

--Roger

References:
- BlockNumericIPRequests patch (fwd)
  - From: Jason Holt
- Re: BlockNumericIPRequests patch (fwd)
  - From: Roger Dingledine
- Re: BlockNumericIPRequests patch (fwd)
  - From: Jason Holt

Prev by Author: Re: BlockNumericIPRequests patch (fwd)
Next by Author: Policy for new Tor dirservers
Previous by thread: Re: BlockNumericIPRequests patch (fwd)
Next by thread: Policy for new Tor dirservers
Index(es):
- Author
- Thread