[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How are hackers breaking Tor and trojan users?



On Tue, Jun 10, 2008 at 11:10:04PM -0500, Arrakis wrote:
> Exactly. This is hopefully going to make tor stronger and raise
> awareness about proper implementation regarding the OSI model.
> Unfortunately it pushes most tor-related software into security
> obsolescence, including one of our own, through the revelation
> that you are fighting a losing battle.

Well. What an exciting thread. I think I'll put a few more cents in.

I really do appreciate the push that you and Kyle have been making
towards shipping a Tor configuration that uses a transparent proxying
approach. Right now there are straightforward and simple solutions for
Linux and BSD, and all it takes is some iptables rules:
https://wiki.torproject.org/noreply/TheOnionRouter/TransparentProxy
but unfortunately there aren't yet any solutions that simple for Windows.
(And in fact if we wanted to make a simple bundle for Linux and BSD
end-users, it becomes complex again since you need some sort of interface
for adding those iptables rules, taking them out again, etc.)

All of the Windows transparent proxying approaches I've seen so far come
with a huge VM blob (plus the requirement of a huge opaque VM player),
so while it would be great to offer it as one download option, it can't
be our only option: there will always be folks with few resources for
whom it isn't suitable. Down the road I would like to see Windows Tor
bundles that do transparent proxying with lower overhead and using only
free software, maybe even without the VM approach at all. I bet we're
heading there, and I look forward to it.

But the real problem here comes down to the lack of design documentation
or security analysis on the current Windows transparent proxying
options. Nobody knows what's in them really, nobody knows how to
reproduce them so they can confirm what's in them, nobody knows how
they're *supposed* to work so they can't verify that, there's no place
to go to read a good analysis of the tradeoffs, etc. In that respect,
we're still in the same place we were a year ago, when I wrote my previous
mail on this topic:

http://archives.seul.org/or/talk/Jul-2007/msg00243.html

I look forward to the day when we have clear and thorough design docs
and security analyses for the VM-based approach to a Tor bundle. At
this point I'm assuming we will have to do it ourselves, though. It's on
our todo list, and we're getting there (we'd love to have some help!),
but we're still tackling a lot of more fundamental issues like how to
make Tor not screw up your anonymity even when you do use it right.

In the mean time we have been making progress at some related
approaches. In particular, several people have brought up Mike Perry's
fine new version of Torbutton:
https://torbutton.torproject.org/dev/
that *does* have some good analysis:
http://torbutton.torproject.org/dev/design/

I agree with you that it's not perfect in all cases, but I'll take
a pretty good tool whose security properties I understand over an
undocumented miracle tool any day.

We really do need to get the Tor 0.2.0.x branch stabilized so we can get
rid of the current "stable" Tor bundles -- they still ship with the old
vanilla Torbutton, which requires users to read and understand all the
warnings on the download page:
https://www.torproject.org/download.html.en#Warning
and even then I suspect you're right that various Firefox bugs can be
turned against them.

> Those days are over, as soon
> as your realize you can stop the effects of 0-days altogether.

Just so we're all clear here, I believe Steve is referring to browser
vulnerabilities that can force your browser to bypass its proxy
configuration and skip over Tor entirely. Attacks like this do pop
up periodically; I am stunned at how many bugs there are in Firefox,
and IE is even worse.

He may also be referring to attacks where a local application (like the
browser, but it doesn't have to be) can be tricked into connecting to
your local Tor control port, like Kyle's attack from last year:
http://archives.seul.org/or/announce/Sep-2007/msg00000.html
This was a great attack, but I think the latest versions of Torbutton
and Vidalia make it a non-issue going forward. I would love to hear if
you think otherwise.

But we have to also remember that the broader class of 0-day software
vulnerabilities also includes ways to exploit your browser to compromise
your computer, run programs on it, steal all your data, etc. And I think
we all agree that end-to-end application vulnerabilities aren't going
to get resolved just by sticking your Tor in a VM.

> So which software/combinations does this issue affect? pretty
> much all of them. What would I suggest to do to keep from getting
> punked out? Use janusvm or xb machine to access tor. And these
> softwares will also keep you safe from that theoretical
> vulnerability the other dc talk is supposed to be about.

Actually, no, I think that's false. I've been chatting with Christian
Grothoff, one of the speakers for that talk, and the attack he's working
on should work just as well against any of the various ways to package
Tor. He has promised to keep us in the loop and help us fix the problem
before his talk. I have to say I prefer that approach to threatening to
"drop zero-days" on us.

--Roger