Re: Security concerns/help me understand tor

To: or-talk@xxxxxxxxxxxxx

Subject: Re: Security concerns/help me understand tor

From: "Kyle Williams" <kyle.kwilliams@xxxxxxxxx>

Date: Thu, 8 Nov 2007 16:02:50 -0800

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Thu, 08 Nov 2007 19:03:00 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=xSO86vgNrL0yq41+Bkp84zAHeQZAF7qra9WNsTYizc0=; b=JEP5j00YHk6XHjydPSehp7pCk4iXjctnaEtnuagrj0jyqOI2jn77Tn2lBAEuPPt70xttLTkNg1gs8D3SWiHz6kpm7qSldo+3RL50qnGJ0ig5s8Zc8AeICJqF402JHbR4WCfBbpL3GjiLSPYllj+ov8yvl62t8jMsYSMTZ+DxfdQ=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=lYbrbQqJSIUvlEwBmTd7ExdCc3Z0KgkgWbyhdbcGzZVjbERDUOciIRedKSJSiHCYY+UY8IKQMO2BskafH23ageL+73AEmMs2eFKR2zA6/N/kw4YkeSJaDVdmxuhTUlIQTqrNc7fdLILTo2eo39WFoitBEC6A5AVvm4VJAZF05qg=

In-reply-to: <2b7cc8d10711081600obf2c3d3m9bbdded58930d3e2@xxxxxxxxxxxxxx>

References: <4732EFA7.2000108@xxxxxx> <843700.91678.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <21f144250711081529yf33a537lc3a3291ec8cd4d0d@xxxxxxxxxxxxxx> <2b7cc8d10711081600obf2c3d3m9bbdded58930d3e2@xxxxxxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On Nov 8, 2007 4:00 PM, Jefferson Iblis <fleshheap@xxxxxxxxx> wrote:

On Nov 8, 2007 11:29 PM, Kyle Williams <kyle.kwilliams@xxxxxxxxx> wrote:
>
>
> If you want to run a hidden server, such as a web site over a .onion
> address, then that's fine.
> If your router is disallowing people to access the admin webpage interface
> from the Internet, that's probably a good thing.
> But if running a Tor exit node opens up that admin webpage to the rest of
> the Tor network, that's not good. At that point, anyone could anonymously
> try and hack your router. God help you if they do get in, then your really
> in trouble.
>
> There is no point in redirecting that type of request, it needs to be
> rejected.
> ....Maybe replying with a "bad hacker, not root for you!" webpage would be
> funny though.
>

Seems the simplest solution would be to, by default, disallow Tor from
accessing the local network, including what it discovers to be its
externally accessible IP. Then anyone who wants to allow local access
can explicitly turn on whatever they think is appropriate.