Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 644452a62f
Branches Tags
tor
/
doc
/
spec
/
proposals
/
129-reject-plaintext-ports

129-reject-plaintext-ports 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 
  1. Filename: 129-reject-plaintext-ports.txt
    2. 

  2. Title: Block Insecure Protocols by Default
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Kevin Bauer & Damon McCoy
    6. 

  6. Created: 2008-01-15
    7. 

  7. Status: Open
    8. 

  8. 

  9. Overview:
    10. 

  10. 

  11.   Below is a proposal to mitigate insecure protocol use over Tor.
    12. 

  12. 

  13.   This document 1) demonstrates the extent to which insecure protocols are
    14. 

  14.   currently used within the Tor network, and 2) proposes a simple solution
    15. 

  15.   to prevent users from unknowingly using these insecure protocols. By
    16. 

  16.   insecure, we consider protocols that explicitly leak sensitive user names
    17. 

  17.   and/or passwords, such as POP, IMAP, Telnet, and FTP.
    18. 

  18. 

  19. Motivation:
    20. 

  20. 

  21.   As part of a general study of Tor use in 2006/2007 [1], we attempted to
    22. 

  22.   understand what types of protocols are used over Tor. While we observed a
    23. 

  23.   enormous volume of Web and Peer-to-peer traffic, we were surprised by the
    24. 

  24.   number of insecure protocols that were used over Tor. For example, over an
    25. 

  25.   8 day observation period, we observed the following number of connections
    26. 

  26.   over insecure protocols:
    27. 

  27. 

  28.     POP and IMAP:10,326 connections
    29. 

  29.     Telnet: 8,401 connections
    30. 

  30.     FTP: 3,788 connections
    31. 

  31. 

  32.   Each of the above listed protocols exchange user name and password
    33. 

  33.   information in plain-text. As an upper bound, we could have observed
    34. 

  34.   22,515 user names and passwords. This observation echos the reports of
    35. 

  35.   a Tor router logging and posting e-mail passwords in August 2007 [2]. The
    36. 

  36.   response from the Tor community has been to further educate users
    37. 

  37.   about the dangers of using insecure protocols over Tor. However, we
    38. 

  38.   recently repeated our Tor usage study from last year and noticed that the
    39. 

  39.   trend in insecure protocol use has not declined. Therefore, we propose that
    40. 

  40.   additional steps be taken to protect naive Tor users from inadvertently
    41. 

  41.   exposing their identities (and even passwords) over Tor.
    42. 

  42. 

  43. Security Implications:
    44. 

  44. 

  45.   This proposal is intended to improve Tor's security by limiting the
    46. 

  46.   use of insecure protocols.
    47. 

  47. 

  48.   Roger added: By adding these warnings for only some of the risky
    49. 

  49.   behavior, users may do other risky behavior, not get a warning, and
    50. 

  50.   believe that it is therefore safe. But overall, I think it's better
    51. 

  51.   to warn for some of it than to warn for none of it.
    52. 

  52. 

  53. Specification:
    54. 

  54. 

  55.   As an initial step towards mitigating the use of the above-mentioned
    56. 

  56.   insecure protocols, we propose that the default ports for each respective
    57. 

  57.   insecure service be blocked at the Tor client's socks proxy. These default
    58. 

  58.   ports include:
    59. 

  59. 

  60.     23 - Telnet
    61. 

  61.     109 - POP2
    62. 

  62.     110 - POP3
    63. 

  63.     143 - IMAP
    64. 

  64. 

  65.   Notice that FTP is not included in the proposed list of ports to block. This
    66. 

  66.   is because FTP is often used anonymously, i.e., without any identifying
    67. 

  67.   user name or password.
    68. 

  68. 

  69.   This blocking scheme can be implemented as a set of flags in the client's
    70. 

  70.   torrc configuration file:
    71. 

  71. 

  72.     BlockInsecureProtocols 0|1
    73. 

  73.     WarnInsecureProtocols 0|1
    74. 

  74. 

  75.   When the warning flag is activated, a message should be displayed to
    76. 

  76.   the user similar to the message given when Tor's socks proxy is given an IP
    77. 

  77.   address rather than resolving a host name.
    78. 

  78. 

  79.   We recommend that the default torrc configuration file block insecure
    80. 

  80.   protocols and provide a warning to the user to explain the behavior.
    81. 

  81. 

  82.   Finally, there are many popular web pages that do not offer secure
    83. 

  83.   login features, such as MySpace, and it would be prudent to provide
    84. 

  84.   additional rules to Privoxy to attempt to protect users from unknowingly
    85. 

  85.   submitting their login credentials in plain-text.
    86. 

  86. 

  87. Compatibility:
    88. 

  88. 

  89.   None, as the proposed changes are to be implemented in the client.
    90. 

  90. 

  91. References:
    92. 

  92. 

  93.   [1] Shining Light in Dark Places: A Study of Anonymous Network Usage.
    94. 

  94.       University of Colorado Technical Report CU-CS-1032-07. August 2007.
    95. 

  95. 

  96.   [2] Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise.
    97. 

  97.       http://www.wired.com/politics/security/news/2007/09/embassy_hacks.
    98. 

  98.       Wired. September 10, 2007.
    99. 

  99. 

  100. Implementation:
    101. 

  101. 

  102.   Roger added this feature in
    103. 

  103.   http://archives.seul.org/or/cvs/Jan-2008/msg00182.html
    104. 

  104.   He also added a status event for Vidalia to recognize attempts to use
    105. 

  105.   vulnerable-plaintext ports, so it can help the user understand what's
    106. 

  106.   going on and how to fix it.
    107. 

  107. 

  108. Next steps:
    109. 

  109. 

  110.   a) Vidalia should learn to recognize this controller status event,
    111. 

  111.   so we don't leave users out in the cold when we enable this feature.
    112. 

  112. 

  113.   b) We should decide which ports to reject by default. The current
    114. 

  114.   consensus is 23,109,110,143 -- the same set that we warn for now.
    115. 

  115.