On 3/9/11 9:45 PM, Chris Palmer wrote:
On 03/09/2011 08:17 AM, mick wrote:
And as Scott said, I don't see why EFF should place the operators of Tor nodes at risk by using Tor as a scanning tool.
Again, do you understand what it is we are doing?
We are not doing a scan with Nmap set to "aggressive" or "stealthy" on all ports.
We are saying hello on port 443, and then saying goodbye. Once. Using normal TCP and TLS handshaking, no tricks. For the good of the internet.
But does i understood that the SSL Observatory scan are done trough TOR nodes? In such case it would be interesting to know which is the algorithm used to distributed the scan across the internet. Depending on how the randomization and distribution across different IPs/netblocks is efficient it may or may not trigger Port Scan Detection systems.
If the SSL scan is very well distributed not only at IP layer (which destination IP address) but also at TOR-Circuit level (for example sending a maximum of X packets on each TOR-Circuit) it would for sure not trigger any portscan detector.
But maybe there's a bug and the scan and so enough randomized so that they appear like a portscan in some sensible portscan system when getting out to a TOR-exit node? (i don't know)
-naif http://infosecurity.ch