[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Set up a webproxy to TOR - tor-proxy.net

On Mon, Sep 24, 2007 at 09:25:47PM +0100, Robert Hogan wrote:
> On Monday 24 September 2007 02:22:34 Ricky Fitz wrote:
> > Am Sonntag, den 23.09.2007, 20:50 -0400 schrieb tor-op@xxxxxxxxxxxx:
> > > On Mon, Sep 24, 2007 at 12:42:31AM +0200, Ricky Fitz wrote:
> > > > It is running on the same server my TOR-Server is running (called
> > > > GrossATuin).
> > >
> > > Does your proxy use a separate Tor client, do you exclude your node as
> > > as an entry?
> >
> > No, it does not use a seperate Tor-Client. Therefore it doesn't make
> > sense to exklude my node. It uses the Tor-Session which runs as a
> > tor-node. So if you spy on the traffic of the server, you will not be
> > able to see, which traffic is from routing traffic for acting as a
> > server, and which from acting as a client. I think that's safer than
> > using a second client.
> >
> So is your cgi-proxy routing everything to an instance of privoxy/polipo 
> running on your machine or directly to the tor socks port? 
> If it is routing everything to privoxy/polipo, what configuration are you 
> using?
> I think it is this sort of detail that phobos has in mind.
> > > I was wondering recently about the security implications of such a setup.
> > >
> > > I was thinking of using a vpn to access my Tor server. From there, all
> > > vpn traffic would be proxied through another tor instance running in
> > > client mode with no bw limitations. Would that be more secure because a
> > > tor server is already running there or less secure because, if in some
> > > way, the traffic from the two instances could be differenciated and the
> > > vpn connections would make the whole system less secure because they
> > > would allow timing and statistical attacks relating vpn traffic to the
> > > second tor traffic?
> >
> > I really don't know, if it will be possible to identify the
> > vpn-connection because of the data which is transferred. But it would be
> > possible, to see that there is another service running than tor. Also,
> > what Bluestar is doubled. If we build a VPN from my server to yours, not
> > only me is theoretical able to spy on the traffic, but also you. (Not
> > that I want to say I do not trust you, but it kills the advantages of
> > onion-system.
> >
> I think the answer is 'less secure'. That vpn link to bluestar88 is used only 
> by you and it contains all your anonymous traffic on one little pipe over the 
> internet. Unless the link is padded to camouflage inactivity that has to make 
> things easier for an observer.

I came to the same conclusion. A tor client connection from my home to
the Tor network at least uses many entry guards. It makes that many more
"little pipe" to sniff for an observer if he wants to get the global
trafic patterns.

The security implications would be different if used by many users as a service
like XeroBank must do. I'm sure they do use just one instance thou, they don't
have the same bandwidth limitation requirements.

Thanks for the input.

Attachment: pgpHkhpLjtaOv.pgp
Description: PGP signature