A Tor Web Service For Verifying Correct Browser Configuration
Nick Mathewson
nickm at freehaven.net
Sat Mar 22 15:57:57 UTC 2008
On Sun, Mar 16, 2008 at 08:25:47PM +0000, Robert Hogan wrote:
{For reference, this is now proposal 132. See
http://www.torproject.org/svn/trunk/doc/spec/proposals/132-browser-check-tor-service.txt
}
>
> Filename: xxx-browser-check-tor-service.txt
> Title: A Tor Web Service For Verifying Correct Browser Configuration
> Version: $Revision: 13955 $
> Last-Modified: $Date: 2008-03-16 18:51:55 +0000 (Sun, 16 Mar 2008) $
> Author: Robert Hogan
> Created: 2008-03-08
> Status: Draft
Hi, Robert! I'd like to ask about a couple of alternative designs
that periodically come up for this problem, and ask about security
implications.
The two main alternative designs are:
- Use a remote "am I using Tor" page.
This handles tests 2 and 3 pretty easily, and with a little
effort can be made to do test 1.
- Have a controller do it without modifying, or with minimal
modifications to, the Tor client.
Test 3 (net connectivity by Tor) is as easy as looking for
whether Tor can build a circuit, I think. For test 2 (is browser
using Tor), just use a MAPADDRESS command to replace a randomly
chosen unique ID hostname with (say) torproect.org. For test 1
(is browser using Tor for DNS), send the browser to request a
random hostname, and then look in Tor's DNS cache to see whether
Tor has a cached entry there.
[There may be better ways to do these.]
The security implications as near as I can tell are:
* It adds a way to tell if people are using Tor: when they test an
instance of Tor that isn't configured properly, they'll leak
pretty identifiable requests to one or two well-known addresses.
* There are lots of attacks this doesn't solve, particularly
browser-based ones. We could solve this by having a link to a
remote "am I using Tor right" page, I guess.
* It adds another local resource that speaks HTTP; experience
suggests that we should think about whether remote pages can use
links or javascript to redirect users here in a way that will be
useful to an adversary.
None of these seem really terrible to me at the moment, but we should
analyze them.
What do you think?
--
Nick
More information about the tor-dev
mailing list