Security concerns/help me understand tor

Martin Fick mogulguy at yahoo.com
Wed Nov 7 16:20:37 UTC 2007


Hi,

I have a concern that running a tor may in some cases
provide a security breach allowing unexpected access
to the inside of certain networks that are behind
firewalls.  In particular, I am concerned with what I
assume is a fairly common design for home routers. 
This scenario may well illustrate how little I
understand about tor, if so, could someone please set
me straight. :)

My home router offers an http administration console
on port 80 which for obvious security reasons is
normally only accessible from the internal facing side
of the router.  While many of these home routers
typically have an internal private IP such as
192.168.1.1 and an external public IP, they sometimes
respond to both IPs from the inside and sometimes they
even allow access to the administration console on the
external IP if it is accessed from the internal side
of the router (mine does).  This would not normally be
a problem, but add a tor exit server to the inside of
a home network serviced by such a router and ...you
can probably guess where I am going with this.

Suppose that Bob hosts a tor exit server NATed behind
one of these routers and perhaps he even hosts a
public facing website NATed to this router since it is
behind his router/firewall.  If Alice decides to check
out Bob's website using tor she may suddenly be given
the opportunity to test her ethical disposition for
being an attacker by unexpectedly being presented with
the login screen to Bob's router admin console!

This, of course, should only happen if Alice's tor
client chooses Bob's tor server as the exit node. 
But, if I understand the tor documentation correctly,
this would in fact be the preferred way for tor
client's to access Bob's website since they should be
able to detect that Bob's website and his tor exit
server are in fact both (NATed to) the same public
IP!!!!

If I am correct about this possibility, and without
arguing the virtues of whether these routers are doing
the right thing by providing access to the admin
console from the external IP from their inward facing
interface, I think that tor relay providers should be
strongly warned about this possibility in the tor
documentation!  I am not sure that there is a good
default (out of the box) way to prevent this from
happening with tor, but I suspect that if Bob sets an
exit policy explicitly rejecting his own IP that he
would be safe from this sort of compromise?

And to add a tiny bit of credibility to this theory: I
believe that I experienced accessing my own router
this way through tor last night after running my
server for about an hour. But, I could not reproduce
it today and I am unwilling to try this for very long
since I do not want to be so exposed.


All this leads to another question I have about tor
which will probably really show how ignorant I am. 
What prevents tor exit nodes from spoofing any IP that
they want and easily setting up phishing attacks?? 
Afterall, they are now potentially acting as routers
for anyone trusting enough to use tor, can't they
decide where to send their exit streams and spoof any
public IP?

A new excited but confused/concerned tor user, ;)

Thanks,

-Martin


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the tor-talk mailing list