[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] corridor, a Tor traffic whitelisting gateway

To: Gavin Wahl <gavinwahl@xxxxxxxxx>, tor-talk@xxxxxxxxxxxxxxxxxxxx, Rusty Bird <rustybird@xxxxxxxxxxxxxxx>, "adrelanos@ri >> Patrick Schleizer" <adrelanos@xxxxxxxxxx>
Subject: Re: [tor-talk] corridor, a Tor traffic whitelisting gateway
From: Patrick Schleizer <patrick-mailinglists@xxxxxxxxxx>
Date: Sat, 31 Jan 2015 17:50:42 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 31 Jan 2015 12:51:58 -0500
In-reply-to: <54CC1EF6.8010401@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <54CC1EF6.8010401@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Gavin Wahl:
>> I think the topic Bridge Firewall is also related here:
>> 
> https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/BridgeFirewall
>
> 
>> 
>> (The topic didn't move there yet, but it's all very similar ideas 
>> we're discussing here.)
> 
> Isn't corridor exactly what that article is describing?

Corridor also supports connecting to normal Tor relays (not bridges) only.

> It seems like it's also vulnerable to the 'Severe issue' in the
> article -- a compromised tor host behind corridor can get its public
> IP address with the 'getinfo address' Tor control protocol command
> and deanonymize.

Quote
https://github.com/rustybird/corridor/#pitfalls

> 
> 
> corridor cannot prevent malware on a client computer from directly
> contacting a colluding relay to find out your clearnet IP address.
> The part of your client system that can open outside TCP connections
> must be in a trustworthy state! (Whonix and Qubes-TorVM are
> well-designed in this respect.) Discussion:
> 
> https://lists.torproject.org/pipermail/tor-talk/2014-February/032153.html
>
> 
https://lists.torproject.org/pipermail/tor-talk/2014-February/032163.html
> 

> Whonix includes this in its threat model -- you should be able to
> run arbitrary/compromised code behind the tor gateway and be safe.

Yes.

> Can corridor do anything about it?

I don't think so, but happy to be proven wrong.

You might be interested in this comparison, that includes corridor:
https://www.whonix.org/wiki/Comparison_with_Others

Full disclosure:
I am a maintainer of Whonix.

Cheers,
Patrick
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] How to make TBB useable as "system Tor", as Tor, Vidalia, pluggable transports system level replacement?
Next by Author: Re: [tor-talk] Tor -> VPN Clarification
Previous by thread: Re: [tor-talk] corridor, a Tor traffic whitelisting gateway
Next by thread: [tor-talk] Fwd: [Cryptography] traffic analysis -> let's write an RFC?
Index(es):
- Author
- Thread