[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Tor and DNS attacks
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Tor and DNS attacks
- From: "John Brooks" <aspecialj@xxxxxxxxx>
- Date: Thu, 13 Nov 2008 18:09:52 -0700
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Thu, 13 Nov 2008 20:09:57 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=fCxEp7S9DOPoCC0v3IbTibSvZxaDHqi9S6TYfjbVg1s=; b=knxOZn5yNPSJjbgAz74KmltcjlahNnm2skBCPdJRzkvnmgnHFJc6d5X2tMvoUlXxcP cmGBJmBgKI4Kl/gEYBzjfZw8PvEYt0dkV1KTf5p3YLijkGaoRyRNUQjzRxgOY/d5fX+6 uhmZOtCuL6WCRO6GoECfdl8CVD5a8nGgbd5w8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=jTEJ77gGjeACr4moZgHbmyVD6UJ204vSqK/ZiahOlnua62usS0jRHvh384wzCWCQmy 7ChaOtosRzf5b/VQUrCABO0e9rkhD8sKVouQsRtSCHhU1z5bTxvrmt3D/YRtDDMljuKr ujgkGDetM9v+GyTzWDBXlQ55PtX7lOfXPChmo=
- In-reply-to: <392B5BB9-D894-41EC-BAE2-51A78844D018@xxxxxxxxxxx>
- References: <392B5BB9-D894-41EC-BAE2-51A78844D018@xxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
Yes, tor ships with the keys for the main authorities - so long as
your tor distribution is verified, those keys are correct and you will
verify the authorities (which are the most important part). Beyond
that, the consensus system works to verify every other key by checking
that a majority of sources will return the same answer (i.e. the same
descriptor for a node).
That said, cache poisoning is still an issue for relayed
communications and all sorts of other things on the machine (including
getting the tor binaries themselves.. this is what gpg is for :P), so
I agree that it is very important for operators to ensure that they
are protected against these attacks.
- John Brooks
On Thu, Nov 13, 2008 at 12:37 PM, Sven Anderson <sven@xxxxxxxxxxx> wrote:
> Hi,
>
> I just wondered if Tor might be vulnerable to DNS attacks during the
> bootstrapping phase? Is there a public key of a directory server included in
> all the Tor download packages to secure the initial contact to the directory
> servers?
>
> I also want to emphasize again that everybody, but especially Tor node
> operators, should check that he/she is not vulnerable to DNS cache
> poisoning, for example by visiting this website:
> http://member.dnsstuff.com/tools/vu800113.php
> or by querying the TXT record of the domain porttest.dns-oarc.net with a
> command like 'host -t TXT porttest.dns-oarc.net'.
>
>
> Sven
>
>