[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Torpark and security



On Sat, Feb 18, 2006 at 01:11:50PM -0800, nosnoops@xxxxxxxxxxx wrote:
> One thing is that some arp protocol is going between my 
> real IP-number and a similar IP-number (maybe the IP of 
> my ADSL ISP, doing some normal things). Below that, on 
> the loglist, is to be seen my real IP-number:port-number 
> doing tcp protocol with a different IP-number:port-number 
> (probably a Tor entry node). 

Yes, you need to talk to your local ISP to do DHCP, etc.
That doesn't sound bad to me.

> Another thing (and now the strange begins, I think) is 
> that when select a logged row of outgoings to examining 
> it in the detail frame on the log viewer´s bottom, then it 
> shows up that my network card´s MAC address is transmitted 
> out every time something going from my IP-number. Not only 
> with arp to ISP, but also in the tcp outgoings to the Tor 
> entry node.

Right. To communicate on your local network, you specify your origin. It
probably gets stripped by the intermediate networks before it gets to
the Tor entry node, but even if it doesn't, that doesn't matter. The
Tor entry node is allowed to know who you are -- it just doesn't know
where you're going.

> Next thing I´m concerned about is if maybe the Tor tunnel 
> effect also works as a "pipeline" for hackers or malware 
> attacks on the Tor exit node´s IP-number to be transmitted 
> all the way into my computer, bypassing my F-Secure firewall 

Yes, this is possible. If you visit a web page that does a buffer overflow
on your Firefox, then that would be bad. But this sort of attack can
still work despite your firewall. In the normal case, even without Tor,
you connect to the website and the page you get back could overflow
your Firefox and the "firewall" would be none the wiser, since from its
perspective you asked for a page and you got it.

Now, you have a point that the web page won't be arriving at your computer
in the clear so a program that is designed to sniff all your incoming
traffic won't be able to see it. I have no idea how your particular
program works. A common approach among security professionals is to run
secure software and not use an "internet packet firewall" at all -- we
don't believe that they work against real attacks, and we're not
vulnerable to trivial attacks.

>  What´s made me 
> concerned about this, are that almost now and then the 
> ADSL modem indicator lights flashing alot of time (more 
> than before) but not correlated to the firewall´s alert log 
> of blocked intrusion attempts, and even when the browser is 
> idle. Also some more hard drive rattling is to be heard than 
> before.

Tor fetches directory updates periodically, and caches them to your disk
so it will still have a copy in case you restart.

> Finally a couple of external concerns. Is there any possibility 
> that a hostile ISP who already decided to look special on some 
> particular users, may setup a kind of "simulated URL trap" that 
> make the user believe it is connecting to Tor (or whatever else 
> the user want to connect) and serve to the user an "image" of 
> the supposed Tor server or website? 

A hostile ISP cannot spoof a Tor server -- the Tor network uses strong
authentication to make sure you're talking to the Tor servers you wanted
to be talking to. But yes, he could spoof a web page:
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers

> One step further, on the Tor entry node, is there a possibility 
> that somebody running the entry node, make some mod´s to the 
> Tor entry node software in a way that allows separation of the 
> incoming secure connection from the outgoing for next Tor server 
> and there inserted a tapping af the data in unencrypted form, 
> some sort of MITM "insider" attack? 

We are pretty sure we made that impossible. The design certainly seems
bullet-proof in that regard. But Tor is still young software, so there
might be a bug somewhere.

http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#KeyManagement

> And of course the whole thing relays on how safe and uncrackable 
> the encrypting itself is. Some people maybe know how to decrypt 
> it, at least if they are in the right business. Just a guess. 

My thinking is that if people knew how to break the encryption algorithms
that Tor uses, they would first exploit banks and governments, and we'd
hear about it long before they got around to attacking Tor.

It is true that Tor uses moderately small (1024 bit) keys for some of
its public key operations -- we're trying to be fast, and public key
operations with huge keys are too slow currently. You can google for
a wide variety of allegedly expert opinions about the strength of 1024
bit RSA and EDH against well-funded attackers.

--Roger