lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <200712082224.19442.prb@lava.net>
Date: Sat, 8 Dec 2007 22:24:19 -1000
From: Peter Besenbruch <prb@...a.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Compromise of Tor,
	anonymizing networks/utilities

On Saturday 08 December 2007 14:01:28 coderman wrote:

> http://www.freehaven.net/anonbib/
> http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ

Thanks for the links.

> > Having seen good crypto ruined by lousy implementations, I thought it
> > timely to remind ourselves of the lesson that implementation is at least
> > as important as the underlying theory.
>
> this is actually a significant aspect for Tor, given that so many
> applications and services which were never intended to be anonymized
> are now getting sent over the network.  the implementation / side
> channel issue is huge, and one reason i am such a proponent of the
> transparent Tor proxy model where all network traffic is either sent
> through Tor or dropped.

My goals are a little more modest. I browse using TOR, except for SSL links. 
Essentially, I want everything I do encrypted, and it wouldn't hurt to 
anonymize my IP address. I try not to abuse the TOR network with Bittorrent 
downloads. Given the NSA monitoring of the Internet in real time, I would 
just as soon make them work for my browsing habits.

> it is simply too difficult for most people and/or most applications to
> be configured to properly communicate through Tor as a proxy, compared
> to simply routing traffic through a transparent Tor proxy.  there are
> some caveats with this approach, and using multiple VM's is stronger
> than host / anon router vm.  however, the drawbacks are minor compared
> to the risks of vulnerable side channels with an explicit SOCKS or
> application protocol layer proxy...

My only concern would be with the sturdiness of the TOR network itself. I hope 
it expands to the point where all traffic could flow through it, but right 
now, it get pretty bogged down from time to time.

> (i should pimp JanusVM here, but you can also configure for *nix easily)
>
> see http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy

The Linux instructions are suitably geeky, but straightforward. I tend to use 
FoxyProxy on Firefox. Right now, I am checking out TorK. I hear its the 
latest and greatest for configuring things easily on Linux. Unfortunately, I 
have to compile it, and the list of requirements is a mile long. ;)

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ