[tor-bugs] #6383 [Flashproxy]: Email registration helper
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Sep 20 18:14:12 UTC 2012
#6383: Email registration helper
------------------------+---------------------------------------------------
Reporter: dcf | Owner: dcf
Type: project | Status: needs_review
Priority: normal | Milestone:
Component: Flashproxy | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Changes (by dcf):
* status: new => needs_review
* type: defect => project
Comment:
I have this implemented in a branch. I would appreciate review of the
crypto aspects and the overall idea. I have the system running now.
The program {{{flashproxy-reg-email}}} makes a registration message like
"client=1.2.3.4:9001" and encrypts it with a public key whose private
counterpart is held by the facilitator. It connects to Gmail's incoming
SMTP server over TLS, and sends an email message containing the encrypted
message to a distinguished gmail.com address whose password is known by
the facilitator. The program {{{facilitator-email-poller}}}, running on
the facilitator, makes an IMAP connection over TLS to the distinguished
account, and checks every 60 seconds for new mail. For every message, it
decrypts the body, passes the client registration to the facilitator, and
deletes the message.
You can test the registration program like this:
{{{
$ ./flashproxy-reg-email :7000
Registered "XXX.XXX.XXX.XXX:7000" with hoddwee at gmail.com.
}}}
If port 7000 (or whatever port you choose) is able to receive TCP
connections, you should get a connection from a flash proxy within about
60 seconds.
Source code:
* https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/email
:/flashproxy-reg-email
*
https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/email:/facilitator
/facilitator-email-poller
Documentation:
* https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/email:/doc
/gmail-setup.txt
* https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/email:/doc
/facilitator-howto.txt
I call your attention to:
*
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/8b405f90d5f8905ea08794dbf569f1bc8faf5b3c
:/flashproxy-reg-email#l31 A hardcoded CA cert] for SMTP and IMAP TLS.
* Pinned public keys
([https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/8b405f90d5f8905ea08794dbf569f1bc8faf5b3c
:/flashproxy-reg-email#l59 SMTP],
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/ba80dd5eab18f2d0270066d1e6f992d7cd927f79:/facilitator
/facilitator-email-poller#l57 IMAP]) to avoid TLS MITM.
* A
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/8b405f90d5f8905ea08794dbf569f1bc8faf5b3c
:/flashproxy-reg-email#l22 distinguished email address]; what happens if
we lose access? Should there be more than one?
*
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/8b405f90d5f8905ea08794dbf569f1bc8faf5b3c
:/flashproxy-reg-email#l245 RSA encryption] with {{{pkcs1_oaep_padding}}}.
* An attempt to
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/8b405f90d5f8905ea08794dbf569f1bc8faf5b3c
:/flashproxy-reg-email#l206 force Python smtplib to verify certificates],
is it enough?
* An attempt to
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/ba80dd5eab18f2d0270066d1e6f992d7cd927f79:/facilitator
/facilitator-email-poller#l87 force Python imaplib to verify
certificates], is it enough?
*
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/8b405f90d5f8905ea08794dbf569f1bc8faf5b3c
:/flashproxy-reg-email#l15 Use of the M2Crypto library], unfortunately not
part of a standard Python installation, used for public key pinning and
email message encryption.
* Storage of the facilitator
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/ba80dd5eab18f2d0270066d1e6f992d7cd927f79:/facilitator
/facilitator-email-poller#l184 private key] and
[https://gitweb.torproject.org/user/dcf/flashproxy.git/blob/ba80dd5eab18f2d0270066d1e6f992d7cd927f79:/facilitator
/facilitator-email-poller#l164 email password] in the filesystem.
The reason for encrypting the registration messages, even inside of
encrypted SMTP and IMAP, is to prevent Google from being able to read a
historical record of client IP addresses, and to protect them from an
attacker who may gain access to the Gmail account. Client registrations
are not terribly secret (they are what we give to flash proxies after all,
and Google can of course record the IP addresses of STMP connections), but
it is better to be cautious. The M2Crypto library needed for this
encryption is also used for the public key pinning.
The encrypted registration emails look like this:
{{{
To: hoddwee at gmail.com
From: nobody at localhost
Subject: client reg a412f8de63
q1lAw3jGmemeuI0kUGTYJZZcjx+EXbRzil42L8SabXH8NljPA8+/JtR+eJCO1cXdj2JLhtaJ23by
YvjJG2qrA1pmyp6P+gcTdLQRlQmkkaCYAfakbh/h7vliH6YEr30G7WtTT2BW7IAhSc8gLNMwiTsN
fh4R3qsE7rOD3VABE4lVZHTkoMA0TP/WQgzVxpu5Bk8tvo9qEKbH2flwjtLq3vX631PjDjexIM7t
9A/5n7eol2gVffK4rxB/1OQ/ZBTkOwvO/bzEYzo5YmMEgAU6e/prVP412srz9TSAUBnSWuNql2X9
ol0D2jf0Aw/XP7qi1ropSwU1IDDR+y/4YkehTQ==
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6383#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list