[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Thoughts on proxy setup wrt insecure connections

On Mon, 28 Feb 2011 15:02:40 -0500
thecarp <thecarp@xxxxxxxxx> wrote:

> After the whole discussion about "gatereloaded" and "badexits" I was
> thinking a bit about the discussion and wondering if there is a way to
> add a bit more protection to people who are, well, newbs. As one article
> pointed out:
> "many who use Tor mistakenly believe it is an end-to-end encryption
> tool. As a result, they aren't taking the precautions they need to take
> to protect their web activity. "
> This is a similar, but not exactly the same problem. Clearly blocking
> all port 80 would be pretty harmful to a lot of use. However, for
> protocols like pop3 or imap, the case for allowing them is clearly not
> as strong, though, the case for banning them completely or requiring
> exit nodes to carry both is... pretty dubious (especially given that
> some people will run things on non-standard ports anyway).

Connections to the plaintext POP3 and IMAP ports may be secured using
the STARTTLS command.

> So here is my thought, what do people think of a configuration item in
> tor, setup to be "on" by default, which blocks attempts to go to certain
> ports at the proxy level, but allows users to turn this "protection" off
> if they wish to? Maybe make the list of blocked ports configurable.

This enables attacks against users' anonymity -- for example, a web
page at <http://evil-site.example.com:80/> could include
<http://evil-site.example.com:110/foo.png> as an inline image to
distinguish users who have configured their Tor client to allow
connections to port 110 from those who have not.

Robert Ransom

Attachment: signature.asc
Description: PGP signature

tor-talk mailing list