[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: A Tor Web Service For Verifying Correct Browser Configuration



On Sun, Mar 16, 2008 at 08:25:47PM +0000, Robert Hogan wrote:

{For reference, this is now proposal 132.  See 
   http://www.torproject.org/svn/trunk/doc/spec/proposals/132-browser-check-tor-service.txt
}

> 
> Filename: xxx-browser-check-tor-service.txt
> Title: A Tor Web Service For Verifying Correct Browser Configuration
> Version: $Revision: 13955 $
> Last-Modified: $Date: 2008-03-16 18:51:55 +0000 (Sun, 16 Mar 2008) $
> Author: Robert Hogan
> Created: 2008-03-08
> Status: Draft


Hi, Robert!  I'd like to ask about a couple of alternative designs
that periodically come up for this problem, and ask about security
implications.

The two main alternative designs are:  
   - Use a remote "am I using Tor" page.

     This handles tests 2 and 3 pretty easily, and with a little
     effort can be made to do test 1.

   - Have a controller do it without modifying, or with minimal
     modifications to, the Tor client.

     Test 3 (net connectivity by Tor) is as easy as looking for
     whether Tor can build a circuit, I think.  For test 2 (is browser
     using Tor), just use a MAPADDRESS command to replace a randomly
     chosen unique ID hostname with (say) torproect.org.  For test 1
     (is browser using Tor for DNS), send the browser to request a
     random hostname, and then look in Tor's DNS cache to see whether
     Tor has a cached entry there.

     [There may be better ways to do these.]

The security implications as near as I can tell are:

    * It adds a way to tell if people are using Tor: when they test an
      instance of Tor that isn't configured properly, they'll leak
      pretty identifiable requests to one or two well-known addresses.

    * There are lots of attacks this doesn't solve, particularly
      browser-based ones.  We could solve this by having a link to a
      remote "am I using Tor right" page, I guess.

    * It adds another local resource that speaks HTTP; experience
      suggests that we should think about whether remote pages can use
      links or javascript to redirect users here in a way that will be
      useful to an adversary.

None of these seem really terrible to me at the moment, but we should
analyze them.


What do you think?
-- 
Nick