[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <94142.1345111269@turing-police.cc.vt.edu>
Date: Thu, 16 Aug 2012 06:01:09 -0400
From: valdis.kletnieks@...edu
To: full-disclosure@...d32.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Intercepting TOR
On Wed, 15 Aug 2012 13:09:38 -0700, full-disclosure@...d32.com said:
> Read an interesting article on "intercepting TOR users via proxies
> Any ideas on how this could be mitigated?
Well... using TOR the way it was intended would help mitigate a lot of it.
TORButton, NoScript, SSL-Everywhere.. all the usual stuff. The TOR people
are *very* up front about the fact that it does *not* protect you after
it leaves the exit node so you should https: from there if possible.
Also, the suggestion in the paper to hit a page directly and via TOR and
comparing the two results is probably a *bad* idea, because it allows
fingerprinting. You really need to hit the page both times with the same
User-Agent string and all that, in case the page you test acts differently for
different values (it sucks to false-positive a mismatch just because the site
saw a spoofed IE8 header one time and FIreFox the other and sent different HTML
for teh two cases). And if you hit it twice with the same setup, then it
becomes easier to equate the two hits unless you work *real* hard to minimize
the amount of leaked info, and hit a *really* high activity site like CNN's
homepage. Go check these links out:
https://panopticlick.eff.org/index.php
https://www.eff.org/press/archives/2010/05/13
and then ask yourself if you want to hit anything twice...
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists