Re: Intercepting TOR

[valdis.kletnieks () vt edu]

On Wed, 15 Aug 2012 13:09:38 -0700, full-disclosure () grid32 com said:

> Read an interesting article on "intercepting TOR users via proxies

> Any ideas on how this could be mitigated?

Well... using TOR the way it was intended would help mitigate a lot of it.
TORButton, NoScript, SSL-Everywhere.. all the usual stuff.  The TOR people
are *very* up front about the fact that it does *not* protect you after
it leaves the exit node so you should https: from there if possible.

Also, the suggestion in the paper to hit a page directly and via TOR and
comparing the two results is probably a *bad* idea, because it allows
fingerprinting.  You really need to hit the page both times with the same
User-Agent string and all that, in case the page you test acts differently for
different values (it sucks to false-positive a mismatch just because the site
saw a spoofed IE8 header one time and FIreFox the other and sent different HTML
for teh two cases).  And if you hit it twice with the same setup, then it
becomes easier to equate the two hits unless you work *real* hard to minimize
the amount of leaked info, and hit a *really* high activity site like CNN's
homepage.  Go check these links out:

https://panopticlick.eff.org/index.php
https://www.eff.org/press/archives/2010/05/13

and then ask yourself if you want to hit anything twice...

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/