[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Applications Recommended For Use With Tor +++ PROPOSAL, DRAFT +++



Hi all,

following up a discussion on #tor I made up a Wiki-article about the
abovementioned subject.

https://wiki.torproject.org/noreply/RecommendedSoftware

Abstract: To create a list of "Applications Recommended For Use With
Tor" [2]. Those applications must obey the rules of
1) using the proxy supplied
2) not leaking any information around the proxy

Disclaimer: This is work in progress. This is only meant for your
information. It's not a formal process, nor a written thing. I just put
it for discussion. It's up to you to define the rules.

Motivation: Tonight we were discussing if [1] is a reasonable thing or
not. I pointed out that Tor, as a layer-3 routing-software, can't solve
layer-4+ problems and that it should be up to "downstream-proxies" to
solve the "untrusted TCP-port"-problem.

However, several people disagreed with my opinion, pointing out that the
real problem are the applications using Tor, compromising the anonymity
of the user and the IP-address-obfuscation of the router.
The real thing would be solving all those problems directly in the
applications instead of sailing around the problems, using proxies and
the such.

Later, the point about Tor-safe and not-safe applications popped up -
thinking of DNS-leakage, unsafe browser plugins. Those problems were
reported before on this list about several products - related to several
versions of those individual applications - but except the archive of
this list this pieces of information _were never consolidated_. We just
have a bunch of warnings that a certain application $foo in version $bar
leaks DNS.

Goal: To create a list of "Applications Recommended For Use With Tor".
That'd give users a certain degree of confidence that the application
(s)he's using isn't leaking information to the world when using Tor.

I'd appreciate your comments and I'm awaiting your corrections on all
the articles in the Wiki. (free registration required).

The Wiki-article isn't linked to anywhere in the Wiki yet. That's on
purpose until we sorted our all the basic questions.
I'll be willing to set up a dedicated mailing-list for this subject,
unless we can have on elsewhere.

Cheers,
Alex.

[1]
https://www.torproject.org/svn/trunk/doc/spec/proposals/129-reject-plaintext-ports.txt
[2] Name made up by Nick. I like it, though I found it to be too bold.

Attachment: signature.asc
Description: OpenPGP digital signature