[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Applications Recommended For Use With Tor +++ PROPOSAL, DRAFT +++



Hello Alex,

I have been working on the security in regards to Tor for a couple of years now, and I'm very pleased to hear that someone else is taking interest in putting together a list of acceptable applications.  I have to agree that the biggest threat to one's anonymity is going to be a bug/vulnerability in a layer 7 application that gets leveraged into tricking the application to no longer using the proxy, or using some other type of side-channel feature/application which wasn't designed with Tor in mind. 

I've already logged into the Wiki and updated the Test Procedures section.
Seeing as I've found lots of IP disclosure vulnerabilities in the past (and future?), I for one would be more than happy to help with this.

One application that should never show up on this list is Internet Explorer.  I've got two 0-days right now for IE, and they would totally compromise your anonymity and security.  Don't worry, they've been reported through 3Com's ZDI program and I'm waiting to see the fixes come out (who knows when).
If you use Tor, DO NOT USE INTERNET EXPLORER!

Let the bug hunting continue!!  w00t!

- Kyle



On Tue, May 20, 2008 at 3:05 PM, Alexander W. Janssen <alexander.janssen@xxxxxxxxx> wrote:
Hi all,

following up a discussion on #tor I made up a Wiki-article about the
abovementioned subject.

https://wiki.torproject.org/noreply/RecommendedSoftware

Abstract: To create a list of "Applications Recommended For Use With
Tor" [2]. Those applications must obey the rules of
1) using the proxy supplied
2) not leaking any information around the proxy

Disclaimer: This is work in progress. This is only meant for your
information. It's not a formal process, nor a written thing. I just put
it for discussion. It's up to you to define the rules.

Motivation: Tonight we were discussing if [1] is a reasonable thing or
not. I pointed out that Tor, as a layer-3 routing-software, can't solve
layer-4+ problems and that it should be up to "downstream-proxies" to
solve the "untrusted TCP-port"-problem.

However, several people disagreed with my opinion, pointing out that the
real problem are the applications using Tor, compromising the anonymity
of the user and the IP-address-obfuscation of the router.
The real thing would be solving all those problems directly in the
applications instead of sailing around the problems, using proxies and
the such.

Later, the point about Tor-safe and not-safe applications popped up -
thinking of DNS-leakage, unsafe browser plugins. Those problems were
reported before on this list about several products - related to several
versions of those individual applications - but except the archive of
this list this pieces of information _were never consolidated_. We just
have a bunch of warnings that a certain application $foo in version $bar
leaks DNS.

Goal: To create a list of "Applications Recommended For Use With Tor".
That'd give users a certain degree of confidence that the application
(s)he's using isn't leaking information to the world when using Tor.

I'd appreciate your comments and I'm awaiting your corrections on all
the articles in the Wiki. (free registration required).

The Wiki-article isn't linked to anywhere in the Wiki yet. That's on
purpose until we sorted our all the basic questions.
I'll be willing to set up a dedicated mailing-list for this subject,
unless we can have on elsewhere.

Cheers,
Alex.

[1]
https://www.torproject.org/svn/trunk/doc/spec/proposals/129-reject-plaintext-ports.txt
[2] Name made up by Nick. I like it, though I found it to be too bold.