Re: Torpark and security

[Michael Holstein <michael.holstein@xxxxxxxxxxx>]

As far as I can tell, the SSL stuff is wrapped in TLS before going over 
TOR, so no -- you wouldn't see the original IP (there are other ways, 
like with Javascript or flash, to get this information -- so hopefully 
you're running Firefox + NoScript + Flashblock at a minimum)

As for getting the logs, there aren't any (unless you turn on debugging) 
-- and firewall logs (et.al) can be configured to ignore the TOR server.

I am (for example) running syslog-ng on our firewall logs. My TOR server 
is 137.148.5.13, thus my syslog-ng filter entry for firewall stuff looks 
like this :

filter f_firewall { host(firewall) and not match("137\\.148\\.5\\.13\\ 
Accessed\\ URL") \
        and not match("137\\.148\\.5\\.13\\/") and \
        not match("Accessed\\ URL\\ 137\\.148\\.5\\.13"); };

Therefore, nothing from the TOR box gets logged anywhere (this also 
omits directory requests inbound to the TOR server). Argus is similarly 
configured via a BPF expression.

IMNAL, but I think that makes my traffic data pretty subponea-proof, 
since I can honestly say under oath that it dosen't exist (albeit 
intentionally). There's no law that says I can't selectively ignore 
something in the logs -- provided I haven't already been told to do it 
(eg: such a configuration AFTER receiving a subponea would be illegal).

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University