Security concerns/help me understand tor

Ruben Garcia ruben at ugr.es
Fri Nov 9 10:03:42 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Fick escribió:
> --- Kyle Williams <kyle.kwilliams at gmail.com> wrote:
>> On Nov 8, 2007 8:53 AM, Martin Fick
>>> On Wed, Nov 07, 2007 at 08:20:37AM -0800, Martin
>>> Fick wrote:
>>>> My home router offers an http administration
>>>> console on port 80 which for obvious security
>>>> reasons is normally only accessible from the
>>>> internal facing side of the router.  While
>>>> many of these home routers typically have an
>>>> internal private IP such as 192.168.1.1 and
>>>> an external public IP, they sometimes respond
>>>> to both IPs from the inside and sometimes they
>>>> even allow access to the administration console
>>>> on the external IP if it is accessed from the
>>>> internal side of the router (mine does).  This
>>>> would not normally be a problem, but add a tor
>>>> exit server to the inside of a home network
>>>> serviced by such a router and ...you can
>>>> probably guess where I am going with this.
> 
> ...
>>> --- Ruben Garcia <ruben at ugr.es> wrote:
>>>> Perhaps it might be possible to tell tor about
>>>> the router's nat policy so that if the router is
>>>> supposed to port forward the external request
>>>> to <ipA>:<portA>, tor does it itself.
>>>> That way, the problematic
>>>>
>>>> host->tor->tor->your host tor->router->your host
>> web
>>>> can become
>>>>
>>>> host->tor->tor->your host tor->your host web
>>>>
>>>> (This requires some changes to the torrc and tor
>>>> source, so I'd like to add it to the feature
>>>> request list in case somebody has free time)
>> That would be a hidden service.  Tor already does
>> that.
>> What we are talking about is secure defaults for
>> exit nodes.
> 
> No, I think a you may have misunderstood the 
> suggestion, I had to read it twice too.  :)
> 
> Perhaps I can try illustrating this better.
> 
> To start with we have website W hosted on internal
> private IP P (192.168.1.2) forwarded to the world 
> by a NATting router with internal IP GW (192.168.1.1)
> at external IP E.  Anyone on the outside can (and are
> supposed to be able to!) get to web site W by 
> accessing E, not P, with or without tor.  
> 
> 1) Site (W)  [P]<--- NAT [E]<---- Internet (anyone)
> 
> But with or without tor no-one can actually get to
> W from the intranet, I, on external IP E since the
> router intercepts that IP, E, and presents its 
> admin console A on E.
> 
> So, instead of seeing this:
> 
> 2) Client     [I]--->[E]  Router   
>     Site  (W) [P]<---     Router
> 
> intranet clients get:
> 
> 3) Client     [I]--->[E]  Router Admin Console (A)
> 
> 
> Now, add an internal tor exit relay on the inside 
> of the firewall trying to legitimately get to W on 
> E (similar to 1):
> 
> 4)       Tor  <---    Router <---- Internet(anyone)
>          Tor  --->[E] Router   
>  Site (W) [P] <---    Router
> 
> Note: they are not trying to illegitimately access 
> W at P, but at legitimate E!  Instead they end 
> up more like (3):
> 
> 5)       Tor <---     Router <---- Internet (anyone)
>          Tor  --->[E] Router Admin console (A)
> 
> The suggested fix instead of simply barring
> E in the exit policy (since it is a legitimate 
> endpoint,) to spoof E with P internally to tor!
> 
> 6) Tor <------------- Router <---- Internet (anyone)
>    Tor --->[P] Site (W)
> 
> Yes, this is somewhat similar to a hidden service
> because we are accessing a web site, W, on the
> inside of the intranet, but that site is supposed
> to be accessed from the outside we are simply
> bypassing the obstructed trip to the internal 
> router hoping to just be NATted and bounced 
> back to P (4).  The original scenario (4) which is 
> impossible because of (5) would have done the 
> same thing as (6) just by a different route!
> 
> Does that make more sense and sound 
> reasonable?
> 
> -Martin
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
This is exactly what I meant. Sorry my message was too compressed.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHNDB+jJvgg3iy84QRAjv4AJ4rsL1Ax7PN35/4Pao8NruuRedudwCfUU4r
DCnnD8QtI/P0G1b7YKwHYDM=
=BTho
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list