[tor-bugs] #5553 [Tor Client]: prevent protocol leaks; Tor client connection API or protocol review howto

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon Apr 2 22:12:42 UTC 2012 

#5553: prevent protocol leaks; Tor client connection API or protocol review howto
------------------------+---------------------------------------------------
 Reporter:  proper      |          Owner:     
     Type:  task        |         Status:  new
 Priority:  normal      |      Milestone:     
Component:  Tor Client  |        Version:     
 Keywords:              |         Parent:     
   Points:              |   Actualpoints:     
------------------------+---------------------------------------------------
 I am unhappy with the current
 [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO Torify
 instructions].

 The [https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea
 big bittorrent leak] may happen to any application, which has not been
 explicitly designed for Tor or reviewed by someone. That's why safe use of
 Tor is at the moment somewhat limited to the few applications designed
 over Tor (Tor Browser) or reviewed for use over Tor.

 Two ideas will follow how to solve this problem. One or another may work
 as solution. Feel free to propose other/better/easier/faster solutions.

 Proposal 1:
 Write a howto, how to review an application and protocol for leak free use
 over Tor. "The protocol/application has to be reviewed." - That is much to
 vague, even for the application's developer.

 For example, would the xchat developers answer "xchat over Tor: do not use
 dcc/ctcp... it leaks your IP/timezone..."?

 What we easily could do for many applications, would be asking the
 application's developers. But even them could be confused by the question.
 The paper should define, what a protocol leak is, how to look out for
 them, how to prevent them.

 This would hopefully enable the application developers to answer to the
 question regarding the protocol leak status. And if they don't want to
 review their own application, third party contributors could review the
 protocol.

 Proposal 2:
 Provide an alternate interface for applications. An alternative to socks.
 Either an API or libery for developers. i2p does also provide one and
 loads of applications are build on top of i2p. Why there are not so many
 applications designed for Tor? Because there is neither an API nor an
 libery.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5553>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list