Proposal to mitigate insecure protocols over Tor

Carsten Krüger C.Krueger at
Thu Jan 17 22:49:06 UTC 2008


>         As an initial step towards mitigating the use of the above-mentioned
>         insecure protocols, we propose that the default ports for each respective
>         insecure service be blocked at the Tor client's socks proxy. These default
>         ports include:

>           23 - Telnet
>         109 - POP2
>         110 - POP3
>         143 - IMAP

Than you should block http, too.
Nearly all blogs, webmail interfaces, bulletin boards, ebay, amazon and so on work with
unencrypted traffic (login at ebay and amazon is encrypted but session
afterwards runs via http).

When you block all these ports by default 90% of the users drop tor
because it didn't work[tm] and they don't care about the warning messages.

My guess is that even you try to do MITM attacks at https, pop3s,
imaps, smtps and ssh 90% of the users ignore the warning about wrong
fingerprints and broken certificate chains.


More information about the tor-dev mailing list