[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Security concerns/help me understand tor

--- Kyle Williams <kyle.kwilliams@xxxxxxxxx> wrote:
> On Nov 8, 2007 8:53 AM, Martin Fick
> > On Wed, Nov 07, 2007 at 08:20:37AM -0800, Martin
> > Fick wrote:
> > > My home router offers an http administration
> > > console on port 80 which for obvious security
> > > reasons is normally only accessible from the
> > > internal facing side of the router.  While
> > > many of these home routers typically have an
> > > internal private IP such as and
> > > an external public IP, they sometimes respond
> > > to both IPs from the inside and sometimes they
> > > even allow access to the administration console
> > > on the external IP if it is accessed from the
> > > internal side of the router (mine does).  This
> > > would not normally be a problem, but add a tor
> > > exit server to the inside of a home network
> > > serviced by such a router and ...you can
> > > probably guess where I am going with this.

> > --- Ruben Garcia <ruben@xxxxxx> wrote:
> > > Perhaps it might be possible to tell tor about
> > > the router's nat policy so that if the router is
> > > supposed to port forward the external request
> > > to <ipA>:<portA>, tor does it itself.
> > > That way, the problematic
> > >
> > > host->tor->tor->your host tor->router->your host
> web
> > >
> > > can become
> > >
> > > host->tor->tor->your host tor->your host web
> > >
> > > (This requires some changes to the torrc and tor
> > > source, so I'd like to add it to the feature
> > > request list in case somebody has free time)
> >
> That would be a hidden service.  Tor already does
> that.
> What we are talking about is secure defaults for
> exit nodes.

No, I think a you may have misunderstood the 
suggestion, I had to read it twice too.  :)

Perhaps I can try illustrating this better.

To start with we have website W hosted on internal
private IP P ( forwarded to the world 
by a NATting router with internal IP GW (
at external IP E.  Anyone on the outside can (and are
supposed to be able to!) get to web site W by 
accessing E, not P, with or without tor.  

1) Site (W)  [P]<--- NAT [E]<---- Internet (anyone)

But with or without tor no-one can actually get to
W from the intranet, I, on external IP E since the
router intercepts that IP, E, and presents its 
admin console A on E.

So, instead of seeing this:

2) Client     [I]--->[E]  Router   
    Site  (W) [P]<---     Router

intranet clients get:

3) Client     [I]--->[E]  Router Admin Console (A)

Now, add an internal tor exit relay on the inside 
of the firewall trying to legitimately get to W on 
E (similar to 1):

4)       Tor  <---    Router <---- Internet(anyone)
         Tor  --->[E] Router   
 Site (W) [P] <---    Router

Note: they are not trying to illegitimately access 
W at P, but at legitimate E!  Instead they end 
up more like (3):

5)       Tor <---     Router <---- Internet (anyone)
         Tor  --->[E] Router Admin console (A)

The suggested fix instead of simply barring
E in the exit policy (since it is a legitimate 
endpoint,) to spoof E with P internally to tor!

6) Tor <------------- Router <---- Internet (anyone)
   Tor --->[P] Site (W)

Yes, this is somewhat similar to a hidden service
because we are accessing a web site, W, on the
inside of the intranet, but that site is supposed
to be accessed from the outside we are simply
bypassing the obstructed trip to the internal 
router hoping to just be NATted and bounced 
back to P (4).  The original scenario (4) which is 
impossible because of (5) would have done the 
same thing as (6) just by a different route!

Does that make more sense and sound 


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around