[tor-talk] Request: would someone create a tutorial on how to examine an app for leaks?
Tom Ritter
tom at ritter.vg
Fri Oct 5 15:52:44 UTC 2012
On 5 October 2012 11:37, <antispam06 at sent.at> wrote:
> This is a request. Would someone be so kind as to add a tutorial, in
> fact, several tutorials for how to test/see if an app is Tor ready?
There's some wiki articles, but I'm surprised there wasn't a simple one...
For Linux, I think the fastest/most naive way would be:
1) Set up a tor bridge on another host in your network/on the internet
2) Boot your client/testing machine from a LiveCD
3) Install Tor, have it point to the bridge
4) Install shorewall (or use iptables, but I don't know the correct
iptables commands)
5) /etc/shorewall/zones:
fw firewall
net ipv4
6) /etc/shorewall/interfaces
net eth0 detect dhcp
7) /etc/shorewall/policy
fw net DROP warn
net fw DROP info
8) /etc/shorewall/rules
ACCEPT $FW bridgeip tcp bridgeport
9) This should prevent anything from leaving your machine that doesn't
go to that single port on that single ip over TCP. Tail your logs,
and let your machine quiet down. Stop any ntp services, system
updates, etc. Get it so your machine is sending no traffic.
10) Start up your application, use *every single feature* and make
sure it's all being correctly proxied through tor. Anything that
shows up in your logs is a leak. investigate it.
I purposely did not put this guide on the wiki, because this is stream
of consciousness, and it's probably missing something. (For example,
you should confirm that it correct stops outgoing icmp and udp.) Try
it out, flesh it out, work out the kinks, write it more verbosely with
samples and screenshots, and then put it on the wiki
Finally, the application may read your IP address or another
de-anonymizing information and send it over Tor. This is another
class of leak, much harder to detect.
In addition to what I wrote, you really should read all of what is on
the wiki also:
- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver
- https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks
- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor
- https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO
- https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks
It's long, but you're now doing work as a developer, not a user - you
owe it to the users of *your* work to make every effort to do it
correctly.
-tom
More information about the tor-talk
mailing list