首頁 探索 說明
登入
piros
/
tor
3
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: 46155aca17
分支列表 標籤列表
tor
/
doc
/
spec
/
proposals
/
131-verify-tor-usage.txt

131-verify-tor-usage.txt 4.5 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 
  1. Filename: 131-verify-tor-usage.txt
    2. 

  2. Title: Help users to verify they are using Tor
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Steven J. Murdoch
    6. 

  6. Created: 2008-01-25
    7. 

  7. Status: Needs-Revision
    8. 

  8. 

  9. Overview:
    10. 

  10. 

  11.   Websites for checking whether a user is accessing them via Tor are a
    12. 

  12.   very helpful aid to configuring web browsers correctly. Existing
    13. 

  13.   solutions have both false positives and false negatives when
    14. 

  14.   checking if Tor is being used. This proposal will discuss how to
    15. 

  15.   modify Tor so as to make testing more reliable.
    16. 

  16. 

  17. Motivation:
    18. 

  18. 

  19.   Currently deployed websites for detecting Tor use work by comparing
    20. 

  20.   the client IP address for a request with a list of known Tor nodes.
    21. 

  21.   This approach is generally effective, but suffers from both false
    22. 

  22.   positives and false negatives. 
    23. 

  23. 

  24.   If a user has a Tor exit node installed, or just happens to have
    25. 

  25.   been allocated an IP address previously used by a Tor exit node, any
    26. 

  26.   web requests will be incorrectly flagged as coming from Tor. If any
    27. 

  27.   customer of an ISP which implements a transparent proxy runs an exit
    28. 

  28.   node, all other users of the ISP will be flagged as Tor users.
    29. 

  29. 

  30.   Conversely, if the exit node chosen by a Tor user has not yet been
    31. 

  31.   recorded by the Tor checking website, requests will be incorrectly
    32. 

  32.   flagged as not coming via Tor.
    33. 

  33.   
    34. 

  34.   The only reliable way to tell whether Tor is being used or not is for
    35. 

  35.   the Tor client to flag this to the browser.
    36. 

  36. 

  37. Proposal:
    38. 

  38. 

  39.   A DNS name should be registered and point to an IP address 
    40. 

  40.   controlled by the Tor project and likely to remain so for the
    41. 

  41.   useful lifetime of a Tor client. A web server should be placed
    42. 

  42.   at this IP address.
    43. 

  43.   
    44. 

  44.   Tor should be modified to treat requests to port 80, at the
    45. 

  45.   specified DNS name or IP address specially. Instead of opening a
    46. 

  46.   circuit, it should respond to a HTTP request with a helpful web
    47. 

  47.   page:
    48. 

  48. 

  49.   - If the request to open a connection was to the domain name, the web
    50. 

  50.     page should state that Tor is working properly.
    51. 

  51.   - If the request was to the IP address, the web page should state
    52. 

  52.     that there is a DNS-leakage vulnerability.
    53. 

  53. 

  54.   If the request goes through to the real web server, the page
    55. 

  55.   should state that Tor has not been set up properly.
    56. 

  56. 

  57. Extensions:
    58. 

  58. 

  59.   Identifying proxy server:
    60. 

  60. 

  61.   If needed, other applications between the web browser and Tor (e.g.
    62. 

  62.   Polipo and Privoxy) could piggyback on the same mechanism to flag
    63. 

  63.   whether they are in use. All three possible web pages should include
    64. 

  64.   a machine-readable placeholder, into which another program could
    65. 

  65.   insert their own message.
    66. 

  66. 

  67.   For example, the webpage returned by Tor to indicate a successful
    68. 

  68.   configuration could include the following HTML:
    69. 

  69.    <h2>Connection chain</h2>
    70. 

  70.    <ul>
    71. 

  71.    <li>Tor 0.1.2.14-alpha
    72. 

  72.    <!-- Tor Connectivity Check: success -->
    73. 

  73.    </ul>
    74. 

  74. 

  75.   When the proxy server observes this string, in response to a request
    76. 

  76.   for the Tor connectivity check web page, it would prepend it's own
    77. 

  77.   message, resulting in the following being returned to the web
    78. 

  78.   browser:
    79. 

  79.    <h2>Connection chain
    80. 

  80.    <ul>
    81. 

  81.    <li>Tor 0.1.2.14-alpha
    82. 

  82.    <li>Polipo version 1.0.4
    83. 

  83.    <!-- Tor Connectivity Check: success -->
    84. 

  84.    </ul>
    85. 

  85. 

  86.   Checking external connectivity:
    87. 

  87. 

  88.   If Tor intercepts a request, and returns a response itself, the user
    89. 

  89.   will not actually confirm whether Tor is able to build a successful
    90. 

  90.   circuit. It may then be advantageous to include an image in the web
    91. 

  91.   page which is loaded from a different domain. If this is able to be
    92. 

  92.   loaded then the user will know that external connectivity through
    93. 

  93.   Tor works.
    94. 

  94. 

  95. Security and resiliency implications:
    96. 

  96. 

  97.   What attacks are possible?
    98. 

  98. 

  99.   If the IP addressed used for this feature moves there will be two
    100. 

  100.   consequences:
    101. 

  101.    - A new website at this IP address will remain inaccessible over
    102. 

  102.      Tor
    103. 

  103.    - Tor users who are leaking DNS will be informed that Tor is not
    104. 

  104.      working, rather than that it is active but leaking DNS
    105. 

  105.   We should thus attempt to find an IP address which we reasonably
    106. 

  106.   belive can remain static.
    107. 

  107. 

  108. Open issues:
    109. 

  109. 

  110.   If a Tor version which does not support this extra feature is used,
    111. 

  111.   the webpage returned will indicate that Tor is not being used. Can
    112. 

  112.   this be safely fixed?
    113. 

  113. 

  114. Related work:
    115. 

  115. 

  116.   The proposed mechanism is very similar to config.privoxy.org. The
    117. 

  117.   most significant difference is that if the web browser is
    118. 

  118.   misconfigured, Tor will only get an IP address. Even in this case,
    119. 

  119.   Tor should be able to respond with a webpage to notify the user of how
    120. 

  120.   to fix the problem. This also implies that Tor must be told of the
    121. 

  121.   special IP address, and so must be effectively permanent.
    122.