[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: chaining JAP and Tor



I am aware of the security issues with JAP. As i understand it these issues are now behind it and it no longer has a backdoor - although at one time it did.

I am hoping to chain JAP and Tor - so that I have double protection. This belt and braces approach - if there are flaws in one (eg. a back door) then I still have the other one to look after me. My anonymity is not entirely in the hands of a single entity. Even Tor, with its naval research background, could be speculated to have back doors. Althouugh I dont believe such speculation. And I am sure there are people on here that have checked its source code and can confirm this.

With the set up suggested - have I got such double protection. Is the set-up valid? Are there any JAP users on here that would like to comment?
best wishes,
Ben



From: Exile In Paradise <exile@xxxxxxxxxxxxxxxxx>
Reply-To: or-talk@xxxxxxxxxxxxx
To: or-talk@xxxxxxxxxxxxx
Subject: Re: chaining JAP and Tor
Date: Thu, 21 Jul 2005 10:52:21 -0500
MIME-Version: 1.0
Received: from belegost.seul.org ([18.244.0.114]) by MC6-F24.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 21 Jul 2005 08:52:27 -0700
Received: by moria.seul.org (Postfix)id 4411A14081F3; Thu, 21 Jul 2005 11:52:24 -0400 (EDT)
Received: by moria.seul.org (Postfix, from userid 65534)id 41DB514081FB; Thu, 21 Jul 2005 11:52:24 -0400 (EDT)
Received: from host.helixhosting.com (unknown [207.44.172.113])by moria.seul.org (Postfix) with ESMTP id 12A7114081F3for <or-talk@xxxxxxxxxxxxx>; Thu, 21 Jul 2005 11:52:23 -0400 (EDT)
Received: from sulaco (cpe-68-206-246-43.houston.res.rr.com [68.206.246.43])by host.helixhosting.com (8.12.11/8.12.11) with ESMTP id j6LFwKPQ020629for <or-talk@xxxxxxxxxxxxx>; Thu, 21 Jul 2005 10:58:21 -0500
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8=
Delivered-To: or-talk-outgoing@xxxxxxxx
X-Original-To: or-talk@xxxxxxxxxxxxx
Delivered-To: or-talk@xxxxxxxx
References: <BAY101-F16B20D5C07E57A71E6BE64B5D60@xxxxxxx>
Organization: Weylan-Yutani Corporation
X-Mailer: Evolution 2.2.2 (2.2.2-5) Precedence: list
X-To-Get-Off-This-List: mail majordomo@xxxxxxxx, body unsubscribe or-talk
Return-Path: owner-or-talk-outgoing@xxxxxxxx
X-OriginalArrivalTime: 21 Jul 2005 15:52:28.0400 (UTC) FILETIME=[32440F00:01C58E0C]


On Thu, 2005-07-21 at 15:25 +0000, Ben Clifford wrote:
> Here I outline a methodology for doing this and I would be very interested
> to hear back as to what people think of its validity. It requires you to
> have both JAP and Tor installed on your system. The JAP client is set up as
> to use the mix cascade system (ie. it is set as an HTTP proxy in your
> browser and NOT a Socks proxy).


AFAIK, JAP is totally compromised by at least the German gov't.
There are many long-running discussions in the Freenet/Frost forums
about JAP being compromised. Most Freenet users refuse to use it.

> In the configuration settings JAP has the option to use a proxy. In the JAP
> proxy tab enter Tor as a SOCKS proxy
> The data flow will then be as follows....
>
> 1) browser (http/https/ftp) points to JAP client
> 2) JAP client
> 3) data sent through ISP
> 4) data sent through Tor
> 5) data goes through JAP mix cascade
> 6) data arrives at target website


This configuration allows the people who compromised JAP to trace
all of your traffic, even into the TOR network. Even if the traffic
was encrypted before entering JAP, traffic analysis is possible.

> So, first your ISP IP is passed to Tor. Tor IP is then passed to JAP. JAP IP
> is then passed to target website.


The configuration above seems to imply your traffic is passed to JAP
first, making that the first/best point to compromise the entire
channel.

> Note that this arrangement does not address the DNS problem with Tor (see
> Tor documentation). For this we need to use an arrangement incorporating
> Privoxy.
> Here in the JAP proxy tab Privoxy is entered as an HTTP proxy, with Privoxy
> being configured to work with Tor (see Tor website for details on this).
>
> 1) browser (http/https/ftp) points to JAP client
> 2) JAP client
> 3) data sent through ISP
> 4) data sent through privoxy + Tor
> 5) data goes through JAP mix cascade
> 6) data arrives at target website
>
> To reiterate, would be so grateful if people could get back to me as to
> whether what is outlined here is correct.


Personally, IMHO, I would drop the JAP connections entirely, due to
the numerous complaints I have read on Freenet about how it has been
backdoored/compromised by elements of the German government, and
possibly others.

I personally have not examined the source (if available) and everything
I am reporting is purely hearsay. But, I thought it worth mentioning
so that you could do your own research about the possibility.
--
Exile In Paradise
A Thaum is the basic unit of magical strength.  It has been universally
established as the amount of magic needed to create one small white pigeon
or three normal sized billiard balls.
                -- Terry Pratchett, "The Light Fantastic"