[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exit enclaves and FQDNs

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Exit enclaves and FQDNs
From: Roger Dingledine <arma@xxxxxxx>
Date: Wed, 26 Sep 2007 01:36:57 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 26 Sep 2007 01:37:04 -0400
In-reply-to: <e692861c0709252217j60307b9foe63a5efd3e03744@xxxxxxxxxxxxxx>
References: <e692861c0709252217j60307b9foe63a5efd3e03744@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

On Wed, Sep 26, 2007 at 01:17:34AM -0400, Gregory Maxwell wrote:
> I'm working on setting up a number of nodes as exit enclaves. If I use
> a normal socks4 client (resulting in local DNS resolution) it works
> exactly as I would expect: All traffic to the exit host uses the exit
> host local tor node.

Right. But you don't really want to use your local DNS servers for
queries, because that's really bad for your anonymity.

But notice the new DNSPort feature -- if somebody figures out how to
bundle/configure it conveniently, it might grow in popularity a lot,
and it may do what you want:
http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy

> If instead I use a client with privoxy and sock4a with DNS resolution
> performed via tor I find that the *first* request to the FQDN of my
> exit host uses some random exit. After that my tor client appears to
> have cached the result and all further http accesses are via the local
> exit.

Exactly so.

For those following along at home, you can read more about the "enclave"
design at
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers

> Because this first request doesn't use the exit enclave it
> reintroduces in a loss of end-to-end encryption and risk of malicious
> exits. While one connection isn't so bad... for http a malicious exit
> could respond with a redirect to a proxy they control.
> 
> Am I missing some aspect of the configuration which removes this vulnerability?

Alas, that's about right. It was the best compromise I could come up with:
we didn't want to always do a round-trip first just in case it matched
an enclave -- and in any case, even if we did, the vulnerability you
mention where the first guy you pick lies to you would remain.

Do you know of any decentralized secure cheat-proof way of turning
FQDN's into IP addresses? Sounds like we want DNSSec or whatever the
latest craze is called.

--Roger

References:
- Exit enclaves and FQDNs
  - From: Gregory Maxwell

Prev by Author: Wikileaks and Tor (was Re: ESTABLISH_INTRO warns)
Next by Author: Re: Clone nodes
Previous by thread: Exit enclaves and FQDNs
Next by thread: Clone nodes
Index(es):
- Author
- Thread