[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)



     On Sat, 02 Apr 2011 20:08:16 -0700 Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
wrote:
>On 03/29/2011 02:10 AM, Scott Bennett wrote:
>>      On Thu, 10 Mar 2011 10:27:50 -0800 Chris Palmer <chris@xxxxxxx> wrote:
>>> On 03/10/2011 09:10 AM, mick wrote:
>>>
>>>> Using Tor to scan the internet is a good way to see how the internet
>>>> looks from different perspectives at once, which can be quite valuable."
>>>>
>>>> Which says to me that you are using Tor to do this research.
>>>
>>> No, it says to you that using Tor to scan the internet is a good way to
>>> see how the internet looks from different perspectives at once, which
>>> can be quite valuable.
>>>
>>>> So which is it? 
>>>
>>> The Observatory work was not done through Tor.
>> 
>>      Good.
>
>I think we need a scan of the SSLiverse through Tor.
>
>>>
>>> However, using Tor to scan the internet is a good way to see how the
>>> internet looks from different perspectives at once, which can be quite
>>> valuable, so I vociferously defend the idea of doing so.
>>>
>>      Ah.  "The ends justify the means."  How enlightened. :-(
>> 
>
>I don't think Chris is making "The ends justify the means" as his
>ethical model. Tor relays with exit policies that allow exiting to *:443

     Whether he is or is not using that as his "ethical model", that is
indeed the form (see above) of his reasoning for defending the activity
in spite of the harmful effects it has upon the tor network.

>intend to allow exiting to *:443. You have to go to quite a bit of
>effort to become a relay, so I'll trust that this counts as consent for
>exiting the Tor network on port 443. I hope we don't disagree about this?

     Use != abuse.
     If I run sendmail with it configured to accept mail from outside, that
does not mean I agree to receive massmail, malware, or other bad stuff via
TCP port 25.  Because various idiots with access to the Internet insist upon
attempting to abuse my ability to receive mail does not militate against my
defending my system from such malicious activity in any way I see fit.
     Do you suppose, for example, that the operators of the root name servers
would hesitate for a minute to filter out packets from any address that were
obviously attempting a DoS attack upon their root servers?  And would they
be wrong to do so?  Consider that, in doing so, they would not only be
defending their own services, but also the proper functioning of the entire
Internet.
     The same reasoning applies to operators of exit nodes wishing to defend
the continued existence of their nodes and thereby defend also the proper
functioning of the tor network.
>
>Now, if your ethical issue surrounds the fact that they then connect to
>a computer without asking permission, I'd make the argument that this is
>reasonable. Even if I was mistaken in your desire to have me connect to
>your system, I believe your placement of a computer system on the public
>internet requires handling a little bit of expectation setting.
>
>What do I mean? I mean to say - if you configure PF to block me, I'm
>still burning some amount of CPU time on your machine. Is that an
>unethical action on my part? To ask your computer a question and for
>your computer to reply (with say, a RST) is a normal part of the
>networking protocols. The internet is inherently chatty and some amount
>of that chatter is the cost of connecting to the public internet.
>Obviously 1,000,000 connections at once isn't polite but is polite
>really zero connections? Is one connection really so impolite or unethical?

     Your analogy is not valid.  The activity in question can and does
result in termination of services to exit nodes by their ISPs.
>
>Now - if we assume that it's reasonable to send a single SYN and then
>complete the handshake when the policy allows, what is the next
>boundary? I'd argue that common HTTPS ports probably run HTTPS software
>- to better understand that software, you'll need to negotiate some or
>all of that protocol. Is sending a TLS ClientHello a reasonable and
>ethical next step? I'd say so. It also seems to make sense that when the
>server replies, you might log the ServerHello. You might even log all of
>the data that the server intended you to have. Is that impolite or
>unethical? Is there something wrong with what has been done by this
>point in the protocol? I don't think so.

     As noted above, the activity under consideration results in the general
depletion of exit nodes from the tor network.  Therefore it must be thought
of as an attack upon the tor network itself.
     Further, an activity that can be used by one party to cause termination
of another, innocent party's Internet connection is an intolerable assault
upon the latter party's paid access to the Internet for all purposes, not
just to offer additional capacity to the tor network, and upon a private
agreement between the latter party and his/her ISP.  Defense against such
offenses is completely appropriate and in order.
     The activity in question also is not easily distinguishable from that
of a lot of actual malware that scans for open ports to find a way in.
     Using an efficient packet filter (e.g., pf) is a way to provide a
defense at minimal cost.  Consider it similar to keeping one's household
appropriately armed against intruders.  Yes, security costs a bit, but
TANSTAAFL, and like insurance, it's cheaper than not being prepared when
an attack comes.  In the case of using a packet filter to prevent responses
to miscreants on a permanent basis, it has the additional benefit of
proactively defending all other present or future services offered, while
denying said miscreants any information.  This is even more the case when
the filter is combined with something like FreeBSD's black hole option for
incoming packets for closed ports because the sender doesn't get a response
even in the first attempt.  That means that the delay in adding the sender's
IP address to the filter does not allow the sender to receive any information
at all in response, even once, except in the case that the sender happens to
connect to a port that actually *is* open before the sender's address gets
added to the table.
>
>Now the client will reasonably tear down the connection as described in
>the relevant protocols. Is that wrong? I don't think so - the protocols
>specifically indicate how systems should signal their intentions. You're
>free to tell me to stop connecting and I'm free to connect - that's how
>these things generally work.

     Let's apply that argument to telephones.  There is a procedure for
making a telephone call that has several steps:  dialing, waiting for the
switching system to establish a circuit, ringing the phone at the other
end (a connection attempt), possibly several times, then either getting
an answer or giving up on the connection attempt with no answer or because
the response was a busy signal or notification that the number is no longer
assigned.  If the call is answered, then information may be transmitted in
both directions, and eventually the connection is closed (hung up).  So
there is a protocol for making a phone call.  The existence of the protocol
can hardly be a justification for abuse.  Is it okay to dial phone numbers,
either at random or according to some desired pattern, just to find out
whether a human answers, a modem answers, or there is no answer, only to
disconnect immediately upon an answer or after an error indication or else
upon a configured timeout?
>
>Now - as it happens, the EFF SSL observatory client does not actually
>implement the entire set of SSL/TLS protocols - just as some software
>does not implement TLS 1.1 or 1.2 - is it somehow wrong to run a client
>that isn't completely implemented for all specs that it might encounter?
>That seems doubtful.

     Again, pf's "synproxy" is an appropriate, preconfigured response of
the target.  It's kind of a simple version of a honeypot.
>
>Google seems to have this data from crawling the web and simply caching
>it as a matter of crawling everything - they get the data from lots of
>sources such as other urls, toolbars, etc. Google recently published
>the Google Certificate Catalog:
>http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html
>
>So is Google's method the only ethical way to collect this certificate
>data? Or is there no method for collecting this data without users
>manually submitting each certificate they encounter by hand?
>
>Even if we pretend that the EFF or the Google methods weren't to be used
>- do you think that the EFF model is actually burning more CPU time on
>each system?

     AFAIK, Google does not use the tor network for its web (or other)
crawling activities.  For Google's purposes, the tor network would be
unusably slow.  AFAIK, Google does not use any method that uses someone
else's computer(s) to make its connections to a destination.  An EFF employee,
OTOH, has confessed to doing so on this list.  The latter, then, is burning
CPU time, as well as network connection throughput capacity, on not just one
system, but on routelen + 1 systems for each scanned system times the number
of ports scanned on that system.
>
>Do you accept that there is some amount of CPU time you're going to have
>to burn when you connect to the internet as a server? If so, what's the
>limit or the edge of reasonable CPU time that a single client may cause
>for a public server?

     Are you asking about reasonable time for service requests from
legitimate clients?  Or, instead, about reasonable time for ignoring
"excommunicated" miscreants?
>
>In any case, the idea of using Tor for perspective routing is not
>particularly new -  Geoffrey Goodell's work on the topic is well over
>half a decade old at this point. It makes a lot of sense to use Tor as a
>perspective-routing system of sorts and there's nothing wrong with that
>at all.
>
     The problem has now been identified and publicized.  If EFF can find
some non-damaging alternative method to gather the information it desires,
then more power to it.  In the meantime, it should cease any and all
activities that can damage the tor network or that can adversely affect
innocent parties elsewhere.  Ethics do matter.
     Another point, though irrelevant due to the ethical considerations
that we've been discussing so far, is that there is no particular reason
to use tor rather than some other proxy to look at the Internet from different
locations.  Anonymity is not necessary to achieve that end.
     BTW, I was offended to read a day or two ago that you had been subjected
to still more harassment by the federal crime syndicate when returning to the
U.S. from points south recently.  You certainly have my sympathy over such
injustices.  The best hope at present is, I think, that the empire will soon
bring on its own collapse under the weight of its theft of wealth by inflation
when the largest buyers of T-bonds stop buying them.  Keep your chin up and
your eyes on that day. :-)


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays