[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: "Practical onion hacking: finding the real address of Tor clients"



On Fri, Oct 20, 2006 at 03:31:22PM -0700, coderman wrote:
> i'm fond of the transparent proxy router approach we've used to try
> and fail safe for most protocols (at least with respect to the DNS
> leaks and covert TCP connections via Java/Flash/etc).[1]
[snip]
> it would be nice to have a detailed proxy checker available that looks
> at these Java/Flash/RealPlayer/etc holes.  right now there are a
> handful of common http proxy checkers but these look for headers and
> IP at best.

Right, this would be great. There are a few checkers out there that
hand a java program to the user that fetches his IP address. We (Tor)
get mail every so often from people who say "hey, I went to this site
and it knows who I am! Tor's broken!"

One of these days I'll get around to writing the single clear paragraph
that will explain everything to everybody. That's still in the works
though; feel free to beat me to it. It would go between
http://tor.eff.org/docs/tor-doc-win32#verify
and
http://tor.eff.org/docs/tor-doc-win32#server
as a new section.

> 1. http://janusvm.peertech.org/ uses a pptp vpn connection to force a
> default route through the virtual machine providing transparent TCP
> and DNS proxy through Tor.  this defeats all of the covert TCP
> connection attacks designed to circumvent browser/application level
> SOCKS/HTTP proxy settings, but does not address identifying data
> within the TCP streams.

Right. Yay JanusVM. I think the eventual solution for packaging Tor
correctly will be to run a VM or something similar that handles all
network traffic correctly, so people don't have to worry so much about
configuring things. It still won't be perfect though, because your
Firefox's Java program can still run whatever it likes, and because
cookies and other application-level issues need to be solved too.

See also
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#TransportIPnotTCP

> [people have been asking about non-Win
> support, and this will be forthcoming in the next few months via
> openvpn for *bsd/linux/solaris/mac]

See also
http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy
for Linux, BSD, and probably OS X.

--Roger