[tor-bugs] #5553 [Tor Client]: prevent protocol leaks; Tor client connection API or protocol review howto

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Apr 3 19:20:42 UTC 2012 

#5553: prevent protocol leaks; Tor client connection API or protocol review howto
------------------------+---------------------------------------------------
 Reporter:  proper      |          Owner:     
     Type:  task        |         Status:  new
 Priority:  normal      |      Milestone:     
Component:  Tor Client  |        Version:     
 Keywords:              |         Parent:     
   Points:              |   Actualpoints:     
------------------------+---------------------------------------------------

Comment(by proper):

 I overworked the TorifyHOWTO, added the appropriate warnings and
 restructured everything, to make the article look more friendly and
 inviting. To make it more easy for contributors to do the protocol
 reviews. But there I am stuck and it looks like anyone else as well. No
 one dares to add anything and to say "this application has been
 reviewed/tested by me, configured this way, it's safe for use over Tor". -
 This is why the API / library came to my mind. i2p does not have these
 kind of leak problems, as the community has been made able, to develop
 applications on top of the network.

 Replying to [comment:1 nickm]:
 > Better instructions for how to secure applications for use with Tor
 would be neat.  I think there are some ubuntu folks interesting in writing
 them.

 Can you provide reference please?

 > What functionality should a "libery" provide that SOCKS does not?

 The programming library should provide all network connectivity functions.
 I don't know which functions socks provides and if there are any
 limitations compared to direct connections. It would ensure, that
 applications "designed for Tor" are explicitly compiled using that library
 and ensure not establishing any non-Tor connections. Using socks wasn't
 very reliable in the past. Way too many leaks appeared. Maybe the library
 idea isn't he most wise idea someone ever had.

 Perhaps it's related to
 [https://www.torproject.org/docs/faq#TransportIPnotTCP You should
 transport all IP packets, not just TCP packets.] "it looks like our best
 bet is shipping our own user-space TCP stack". #1855

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5553#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list