[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] corridor, a Tor traffic whitelisting gateway



>>> The problem is, anyone, including adversaries can run Tor
>>> relays.
> 
>> Interesting consideration. I'd prefer limiting the tor_routers
>> ipset to relays with a Guard flag, which would make an attack more
>> difficult to pull off.
> 
> Getting the guard flag isn't really difficult.

It won't make attacks much harder for malicious relays, yes. But keeping
unusual Tor traffic, like entry to a non-Guard, off the network may be
worthwhile for other reasons.

> It's an documented and automated process.

What is that process?

>> But a freshly installed Tor client will not necessarily fetch its
>> first consensus through a Guard, right?

> Some guards and directory mirrors are hardcoded in Tor.

I only see the directory authorities, what code bakes in guards and
directory mirrors? If you meant the authorities, how about limiting the
ipset to relays with a Guard *or* an Authority flag.

> Corridor's advantages:
> - streams from different workstations can never share a circuit

The more essential point is that client computers don't have to trust
the corridor gateway to provide anonymity. That's huge if you're
offering your internet connection to strangers: Their only choice if
they don't trust a *proxying* gateway would be to run Tor over Tor.

> Whonix's advantage:
> - malicious software on the workstation can not find out it's real
> external IP address

With a filtering gateway (corridor), a malicious software M on the
client computer can instantly and directly contact a colluding relay.

With a proxying gateway (Whonix), M can only do that when the gateway
uses that relay as a Guard, and M has to open a covert channel, e.g.
request/response timing.

Kudos to you for bringing this issue to light. I will document that
corridor cannot prevent well-orchestrated leaks, and that there is no
replacement for securing your client computer (which was never my
intention to imply).

> I am wondering, can we get both advantages using just one gateway?

If you also count the question of who to trust, yourself (the client) or
the gateway, then with just one gateway, no. Whoever you trust more is
who you want to build your circuits.

Still, you can put corridor between your Whonix box and your modem/
router (or directly on the latter if don't use clearnet at all) as a
simple fail safe mechanism:

$ wc -l corridor-*
  11 corridor-data-bridges
  60 corridor-data-consensus
  17 corridor-forward
  17 corridor-helper-update
 105 total

Rusty

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk