lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <94142.1345111269@turing-police.cc.vt.edu>
Date: Thu, 16 Aug 2012 06:01:09 -0400
From: valdis.kletnieks@...edu
To: full-disclosure@...d32.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Intercepting TOR

On Wed, 15 Aug 2012 13:09:38 -0700, full-disclosure@...d32.com said:

> Read an interesting article on "intercepting TOR users via proxies

> Any ideas on how this could be mitigated?

Well... using TOR the way it was intended would help mitigate a lot of it.
TORButton, NoScript, SSL-Everywhere.. all the usual stuff.  The TOR people
are *very* up front about the fact that it does *not* protect you after
it leaves the exit node so you should https: from there if possible.

Also, the suggestion in the paper to hit a page directly and via TOR and
comparing the two results is probably a *bad* idea, because it allows
fingerprinting.  You really need to hit the page both times with the same
User-Agent string and all that, in case the page you test acts differently for
different values (it sucks to false-positive a mismatch just because the site
saw a spoofed IE8 header one time and FIreFox the other and sent different HTML
for teh two cases).  And if you hit it twice with the same setup, then it
becomes easier to equate the two hits unless you work *real* hard to minimize
the amount of leaked info, and hit a *really* high activity site like CNN's
homepage.  Go check these links out:

https://panopticlick.eff.org/index.php
https://www.eff.org/press/archives/2010/05/13

and then ask yourself if you want to hit anything twice...


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists