Tor is enjoying some success among the TCP/IP anonymity seekers. Could
we discuss the security of this system in this thread? Why not
investigating this topic at cryptology, computer/network, and user
levels (the only reason for x-posting this message)?
Kind regards
Ludovic Joly
lgr_joly@yahoo.com wrote:
> Tor is enjoying some success among the TCP/IP anonymity seekers. Could
> we discuss the security of this system in this thread? Why not
> investigating this topic at cryptology, computer/network, and user
> levels (the only reason for x-posting this message)?
Is there any need to discuss it? As far as the implementation is
correct, TOR fulfills its goal to provide a maximum protection against
routing analysis.
It does not, and was never intended to protect against traffic and
timing analysis, and the biggest problem still is session tracking and
fingerprinting through client applications (f.e. webbrowsers).
When you don't care for leaking information through DNS resolving, a
TORified connection can be abritarily fast and low-delay to replace an
unprotected connection for a lot of common tasks (f.e. surfing the WWW).
lgr_joly@yahoo.com wrote in news:1147471726.300609.250680
@j33g2000cwa.googlegroups.com:
> Tor is enjoying some success among the TCP/IP anonymity seekers. Could
> we discuss the security of this system in this thread? Why not
> investigating this topic at cryptology, computer/network, and user
> levels (the only reason for x-posting this message)?
>
> Kind regards
> Ludovic Joly
Wonderful. The homework assignment and minimal prerequisite for even
opening one's mouth should be an attentive and thoughtful reading of the
material posted on:
Anonymity Bibliography
http://www.freehaven.net/anonbib/
Regards,
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Anonymous wrote:
> On 12 May 2006, lgr_joly@yahoo.com wrote:
> >Tor is enjoying some success among the TCP/IP anonymity seekers. Could
> >we discuss the security of this system in this thread? Why not
> >investigating this topic at cryptology, computer/network, and user
> >levels (the only reason for x-posting this message)?
>
>
> one of the biggest security risks is with users not setting their apps up
> to work with tor correctly. dns leak is a big issue.
>
> or, take java as an example. user browses to a web site using tor and is
> anonymous. but that web site contains a java applet. java isn't running
> through tor and makes a direct connection to the web site and there goes
> that anonymity.
[Why was this posted twice? Maybe your super uber 1337 nym program is
busted?]
Anyways ... anyone concerned with that level of privacy would
virtualize their OS then pump all IP traffic through the filter.
.... of course you'd do that if you didn't get all your tech savvy from
watching Swordfish or playing hacker.
Tom
Anonymous wrote:
> On 12 May 2006, lgr_joly@yahoo.com wrote:
>> Tor is enjoying some success among the TCP/IP anonymity seekers. Could
>> we discuss the security of this system in this thread? Why not
>> investigating this topic at cryptology, computer/network, and user
>> levels (the only reason for x-posting this message)?
>
>
> one of the biggest security risks is with users not setting their apps up
> to work with tor correctly. dns leak is a big issue.
>
> or, take java as an example. user browses to a web site using tor and is
> anonymous. but that web site contains a java applet. java isn't running
> through tor and makes a direct connection to the web site and there goes
> that anonymity.
Java applets, unless they're signed and the user approves the applet
or has previously approved the signer, use the networking of the browser
that's running them, which uses the same proxy as for web page requests.
--Mike Amling
Mike Amling wrote:
> Java applets, unless they're signed and the user approves the applet
> or has previously approved the signer, use the networking of the browser
> that's running them, which uses the same proxy as for web page requests.
Which would mean absolutely nothing at all if that applet simply transmits
your real IP number across that nicely encrypted connection, even if it
were true.
Borked Pseudo Mailed wrote:
> Mike Amling wrote:
>
>> Java applets, unless they're signed and the user approves the applet
>> or has previously approved the signer, use the networking of the browser
>> that's running them, which uses the same proxy as for web page requests.
>
> Which would mean absolutely nothing at all if that applet simply transmits
> your real IP number across that nicely encrypted connection, even if it
> were true.
You probably also want to make sure you're running on a machine that
connects to the Internet through a router that supplies NAT, regardless
of Java.
--Mike Amling
Mike Amling:
> You probably also want to make sure you're running on a machine that
> connects to the Internet through a router that supplies NAT, regardless
> of Java.
In this case javascript code or normal java applets can only capture
the internal address, so the IP address of the gateway remains hidden -
is that what you mean regarding this issue?
Ludovic Joly wrote:
> Mike Amling:
>> You probably also want to make sure you're running on a machine that
>> connects to the Internet through a router that supplies NAT, regardless
>> of Java.
>
> In this case javascript code or normal java applets can only capture
> the internal address, so the IP address of the gateway remains hidden -
> is that what you mean regarding this issue?
A Java applet can make a direct connection back to the server, the NAT
will happily translate into your public IP.
And JavaScript doesn't know anything about your IP address.
Sebastian Gottschalk wrote:
> Ludovic Joly wrote:
>> Mike Amling:
>>> You probably also want to make sure you're running on a machine that
>>> connects to the Internet through a router that supplies NAT, regardless
>>> of Java.
>>
>> In this case javascript code or normal java applets can only capture the
>> internal address, so the IP address of the gateway remains hidden - is
>> that what you mean regarding this issue?
>
> A Java applet can make a direct connection back to the server, the NAT
> will happily translate into your public IP.
>
> And JavaScript doesn't know anything about your IP address.
False. Javascript can call certain Java classes REGARDLESS of whether Java
is enabled in your browser. It can even make calls to specific Java
versions if there are multiple versions installed on your machine.
On Mon, 15 May 2006 15:10:18 +0200, Sebastian Gottschalk wrote:
> A Java applet can make a direct connection back to the server, the NAT
> will happily translate into your public IP.
>
> And JavaScript doesn't know anything about your IP address.
Whoa there PonyBoy, ain't so, Javas fully capable of being used to extract
this and lots of other info/data.
--
Drop the alphabet for email
Ludovic Joly wrote:
> Mike Amling:
>> You probably also want to make sure you're running on a machine that
>> connects to the Internet through a router that supplies NAT, regardless
>> of Java.
>
> In this case javascript code or normal java applets can only capture
> the internal address, so the IP address of the gateway remains hidden -
> is that what you mean regarding this issue?
Yes. Java, javascript, ActiveX, whatever.
--Mike Amling
Sebastian Gottschalk wrote:
> Ludovic Joly wrote:
>> Mike Amling:
>>> You probably also want to make sure you're running on a machine that
>>> connects to the Internet through a router that supplies NAT, regardless
>>> of Java.
>> In this case javascript code or normal java applets can only capture
>> the internal address, so the IP address of the gateway remains hidden -
>> is that what you mean regarding this issue?
>
> A Java applet can make a direct connection back to the server, the NAT
> will happily translate into your public IP.
The router does NAT on the IP header, not the TCP data payload. The
OP is connecting to the server through Tor.
--Mike Amling
Ari Silverstein
news:h41iiud09mcy$.1sflm84zf0qzh$.dlg@40tude.net:
> On Mon, 15 May 2006 15:10:18 +0200, Sebastian Gottschalk wrote:
>
>> A Java applet can make a direct connection back to the server, the
>> NAT will happily translate into your public IP.
>>
>> And JavaScript doesn't know anything about your IP address.
>
> Whoa there PonyBoy, ain't so, Javas fully capable of being used to
> extract this and lots of other info/data.
I'll take the liberty of interjecting some additional information into this
thread and further roil the waters.
Those who like Tor should also look into I2P. At the grossest level the
two networks are similar (Tor is currently more mature), but as you'd
expect there are lots of differences, not all of them subtle, when you look
more closely.
However, I must say I'm very encouraged by my experiments with I2P. Using
both networks (in series or in parallel) opens up even more possibilities.
Regards,
>>> And JavaScript doesn't know anything about your IP address.
>>
>> Whoa there PonyBoy, ain't so, Javas fully capable of being used to
>> extract this and lots of other info/data.
>
> I'll take the liberty of interjecting some additional information into this
> thread and further roil the waters.
>
> Those who like Tor should also look into I2P. At the grossest level the
> two networks are similar (Tor is currently more mature), but as you'd
> expect there are lots of differences, not all of them subtle, when you look
> more closely.
>
> However, I must say I'm very encouraged by my experiments with I2P. Using
> both networks (in series or in parallel) opens up even more possibilities.
>
> Regards, nemo
Effective, crawls like a 14.4K dialup but effective.
--
Drop the alphabet for email
Ari Silverstein wrote:
>> A Java applet can make a direct connection back to the server, the NAT
>> will happily translate into your public IP.
>>
>> And JavaScript doesn't know anything about your IP address.
>
> Whoa there PonyBoy, ain't so, Javas fully capable of being used to extract
> this
Java cannot extract your gateway address without breaking out of the
sandbox which is supposed to be impossible. It can only read your local
IP address by generating a socket.
> and lots of other info/data.
Is "lots" new-speech for "few?
You cannot even get the screen resolution, something which JavaScript
can (if you didn't disable this functionality).
However, there isn't any important and only few pretty unique
information to extract, so you'll even have a hard hob just
fingerprinting the system, especially one can easily limit the
capabilities of JavaScript without breaking relevant functionality.
Mike Amling wrote:
>>>> You probably also want to make sure you're running on a machine that
>>>> connects to the Internet through a router that supplies NAT, regardless
>>>> of Java.
>>> In this case javascript code or normal java applets can only capture
>>> the internal address, so the IP address of the gateway remains hidden -
>>> is that what you mean regarding this issue?
>>
>> A Java applet can make a direct connection back to the server, the NAT
>> will happily translate into your public IP.
>
> The router does NAT on the IP header, not the TCP data payload. The OP
> is connecting to the server through Tor.
Sadly, a Java applet is free to ignore your proxy settings. So does
Macromedia Flash's ActionScript.
On Mon, 15 May 2006 22:46:03 +0200,
Sebastian Gottschalk
> Mike Amling wrote:
>>>>> You probably also want to make sure you're running on a machine that
>>>>> connects to the Internet through a router that supplies NAT, regardless
>>>>> of Java.
>>>> In this case javascript code or normal java applets can only capture
>>>> the internal address, so the IP address of the gateway remains hidden -
>>>> is that what you mean regarding this issue?
>>>
>>> A Java applet can make a direct connection back to the server, the NAT
>>> will happily translate into your public IP.
>>
>> The router does NAT on the IP header, not the TCP data payload. The OP
>> is connecting to the server through Tor.
>
> Sadly, a Java applet is free to ignore your proxy settings. So does
> Macromedia Flash's ActionScript.
Java applet and Flash are free to attempt connecting after
iptables rules have been made to drop packets destined to
other destinations than 127.0.0.1:8888 or wherever your
Tor/privoxy/... are listening.
--
Do what you love because life is too short for anything else.
Safari wrote:
>> Sadly, a Java applet is free to ignore your proxy settings. So does
>> Macromedia Flash's ActionScript.
>
> Java applet and Flash are free to attempt connecting after
> iptables rules have been made to drop packets destined to
> other destinations than 127.0.0.1:8888 or wherever your
> Tor/privoxy/... are listening.
Finally someone getting a clue... But: Is your IP address the only
identification information? Certainly not.
I guess a server still can say: "Hm... this guy has a screen resolution
of 1280x960x32, webbrowser is OperaFox 3.0 on MacOSY/x86, has these
plugins installed [list], has this local IP address, latest Java
version, '/' is path delimiter, some websites in his history, is about
that fast... most likely the same guy that someothertrackingsite.biz
reported me yesterday showing up on someserver.com and then browsing to
someotherserver.com, logging in as somenickname..."
On Tue, 16 May 2006 01:27:22 +0200,
Sebastian Gottschalk
> Safari wrote:
>
>>> Sadly, a Java applet is free to ignore your proxy settings. So does
>>> Macromedia Flash's ActionScript.
>>
>> Java applet and Flash are free to attempt connecting after
>> iptables rules have been made to drop packets destined to
>> other destinations than 127.0.0.1:8888 or wherever your
>> Tor/privoxy/... are listening.
>
> Finally someone getting a clue... But: Is your IP address the only
> identification information? Certainly not.
>
> I guess a server still can say: "Hm... this guy has a screen resolution
> of 1280x960x32, webbrowser is OperaFox 3.0 on MacOSY/x86, has these
I know that I can modify User-Agent with tamper-data extension
for Firefox (for http and https), and for http I can use squid
and/or privoxy, but Firefox does not seem to lie about screen res,
and I don't know of extensions to "lie" about it,
but java is disabled (haven't needed this year) and I have only the
default plugins, and I run NoScript extension.
> plugins installed [list], has this local IP address, latest Java
> version, '/' is path delimiter, some websites in his history, is about
> that fast... most likely the same guy that someothertrackingsite.biz
How well would figuring out speed work when using Tor?
> reported me yesterday showing up on someserver.com and then browsing to
> someotherserver.com, logging in as somenickname..."
--
Do what you love because life is too short for anything else.
Safari wrote:
> On Tue, 16 May 2006 01:27:22 +0200,
> Sebastian Gottschalk
>> Safari wrote:
>>
>>>> Sadly, a Java applet is free to ignore your proxy settings. So does
>>>> Macromedia Flash's ActionScript.
>>> Java applet and Flash are free to attempt connecting after
>>> iptables rules have been made to drop packets destined to
>>> other destinations than 127.0.0.1:8888 or wherever your
>>> Tor/privoxy/... are listening.
>> Finally someone getting a clue... But: Is your IP address the only
>> identification information? Certainly not.
>>
>> I guess a server still can say: "Hm... this guy has a screen resolution
>> of 1280x960x32, webbrowser is OperaFox 3.0 on MacOSY/x86, has these
>
> I know that I can modify User-Agent with tamper-data extension
> for Firefox (for http and https),
Or simply by setting browser.useragent.override. Your know, you should
be careful about changing that.
BTW, a clever attacker would use feature weighting and clustering to
deal with faking or changed configurations.
> but Firefox does not seem to lie about screen res,
> and I don't know of extensions to "lie" about it,
Well, you can disable access to the window.screen object.
> but java is disabled (haven't needed this year) and I have only the
> default plugins, and I run NoScript extension.
Guess you've got the point: Client-side scripting is a major problem. I
usually recommend disabling it, but it makes a lot of websites pretty
unusable.
>> plugins installed [list], has this local IP address, latest Java
>> version, '/' is path delimiter, some websites in his history, is about
>> that fast... most likely the same guy that someothertrackingsite.biz
>
> How well would figuring out speed work when using Tor?
I meant calculation speed.
Anyway, even HTML omits a lot of tracking features. CSS Generated
Content in combination with various other variants of feature
enumeration, crash/slowness probe/detection, ...
In combination with time-stamps one should get a pretty unique signature
for client tracking.