[tor-bugs] #2667 [Tor Relay]: Exits should block reentry into the tor network
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun Sep 16 15:27:52 UTC 2012
#2667: Exits should block reentry into the tor network
-----------------------+----------------------------------------------------
Reporter: mikeperry | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.4.x-final
Component: Tor Relay | Version:
Keywords: | Parent: #2664
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Changes (by proper):
* cc: adrelanos@… (added)
Comment:
To make this worse:
* if you forbid reentry into the Tor network...
* A good way to censor and monitor Tor users would be...
* Put your network behind a transparent torified network.
* Connect to nodes under your control.
> I wonder if the better fix is to make the "transparent torify" process
smarter (that is, write and maintain some "best practices" iptables rules
that do the right thing), so it can recognize connections to the Tor
network and let them through directly? It seems risky (full of
opportunities for serious fail), but better than the other options I've
heard so far.
Please don't. The advantage of an correctly transparently torified network
is, that there can be no IP/DNS leaks. If you allow some magic direct
connections, transparent proxying will only be a usability feature, no
security feature.
If you really must... Please make it configurable thought an torrc option.
TRANS_PORT_ALLOW_DIRECT_CONNECTIONS_TO_THE_TOR_NETWORK=1
(Find better name. Default is 1. 0 disables the magic direct Tor network
connection feature.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2667#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list