[tor-bugs] #5553 [Tor Client]: prevent protocol leaks; Tor client connection API or protocol review howto
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Apr 18 17:45:31 UTC 2012
#5553: prevent protocol leaks; Tor client connection API or protocol review howto
------------------------+---------------------------------------------------
Reporter: proper | Owner:
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by unknown):
Replying to [comment:3 proper]:
> Here are some hints, how difficult it is, to review an application.
> https://lists.torproject.org/pipermail/tor-talk/2012-April/024016.html
>
> After digging this topic a lot, I don't think that someone ever reviewed
an application so thoroughly, beside Tor Browser and Pidgin.
Hiding IP and preventing visible leakages (such as DNS requests or
useragent name) is not enough for successful torifycation. For example, if
someone trying to torify download manager (such as wget), then smart
adversary can reduce anonimity set with statistic profiling any non-TBB
downloaders on the servers side or through intercepting exit node traffic.
Wget'll get a different responce than standart TBB or another downloaders
to cookies and active elements injection, fonts manipulation on a page,
resume downloading, pipelining behaviour, etc. Different applications and
different settings brings to different anonimity sets. We need a some
bundle with unified set of a popular applications or warning to use manual
torifying with limitation (for instance, connecting to trusted personal
hidden services only).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5553#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list