Proposal to mitigate insecure protocols over Tor

[Roger Dingledine]

On Thu, Jan 17, 2008 at 04:44:25PM -0700, Kevin Bauer wrote:
> > >         BlockInsecureProtocols 0|1
> > >         WarnInsecureProtocols 0|1
> >
> > This seems like a fine interface. The status events I mention above
> > could still be useful, because if Block is default, there will be a lot
> > of confused users unless Vidalia pops up a little something explaining
> > that what they just tried may not be a smart move.

Ok, I added the features here:
http://archives.seul.org/or/cvs/Jan-2008/msg00182.html
(I changed my mind a bit about the interface, but hopefully the one I
picked will do fine.)

> I agree that insecure http is a significant avenue for information
> leakage over Tor. What we are suggesting in this proposal is that we
> try to limit the *really stupid* ways that very sensitive information
> (user names/passwords) can be accidentally exposed by a naive Tor
> user. The protocols that we mentioned not only can lead to anonymity
> loss, but also the potential compromise of the accounts when observed
> by a malicious exit node.

True -- but that can happen through port 80 too. I still worry a little
that by adding these warnings for only some of the risky behavior, users
will do other risky behavior, not get a warning, and believe that it is
therefore safe. But I think you're right, it's better to warn for some
of it than to warn for none of it.

So the next question is: reject by default or just warn? I'm inclined to
reject by default, just to counter the number of users who are probably
happily using Tor and have no idea that there's a problem. Even if they
get angry and stop using Tor because it's "broken" now, that's probably
ok for them.

And the last question is: what ports? 23, 110, 143 are easy choices. I
guess 109 is also a popularly used port? What about the AIM port -- even
if people are using OTR are they still leaking their username/password
during login? What others?

Thanks,
--Roger