Proposal to mitigate insecure protocols over Tor

Mon Jan 21 05:27:57 UTC 2008

On Jan 19, 2008 11:57 PM, Roger Dingledine <arma at mit.edu> wrote:
> On Thu, Jan 17, 2008 at 04:44:25PM -0700, Kevin Bauer wrote:
> > > >         BlockInsecureProtocols 0|1
> > > >         WarnInsecureProtocols 0|1
> > >
> > > This seems like a fine interface. The status events I mention above
> > > could still be useful, because if Block is default, there will be a lot
> > > of confused users unless Vidalia pops up a little something explaining
> > > that what they just tried may not be a smart move.
>
> Ok, I added the features here:
> http://archives.seul.org/or/cvs/Jan-2008/msg00182.html
> (I changed my mind a bit about the interface, but hopefully the one I
> picked will do fine.)

Looks great!

>
> > I agree that insecure http is a significant avenue for information
> > leakage over Tor. What we are suggesting in this proposal is that we
> > try to limit the *really stupid* ways that very sensitive information
> > (user names/passwords) can be accidentally exposed by a naive Tor
> > user. The protocols that we mentioned not only can lead to anonymity
> > loss, but also the potential compromise of the accounts when observed
> > by a malicious exit node.
>
> True -- but that can happen through port 80 too. I still worry a little
> that by adding these warnings for only some of the risky behavior, users
> will do other risky behavior, not get a warning, and believe that it is
> therefore safe. But I think you're right, it's better to warn for some
> of it than to warn for none of it.
>

Good point. MySpace is a prime example of a very popular site that
does not offer a secure login process. Perhaps more can be done at the
HTTP proxy level to address the insecurities that are specific to web
traffic?

> So the next question is: reject by default or just warn? I'm inclined to
> reject by default, just to counter the number of users who are probably
> happily using Tor and have no idea that there's a problem. Even if they
> get angry and stop using Tor because it's "broken" now, that's probably
> ok for them.
>

For Telnet, IMAP, and POP, I would suggest that the policy be to block
by default for the following reason.  During our 8 day observations
cited in the initial proposal, the Telnet, IMAP, and POP traffic
accounted for around 0.16% of the total connections that were
established through our exit node. So we're probably not talking about
a large fraction of the protocols that are used over Tor.

> And the last question is: what ports? 23, 110, 143 are easy choices. I
> guess 109 is also a popularly used port? What about the AIM port -- even
> if people are using OTR are they still leaking their username/password
> during login? What others?

Agreed, ports 23 (telnet), 109 (pop2), 110 (pop3), and 143 (imap)
should certainly be ports of interest, and possibly be blocked by
default for the reason described above.

As far as I know (and perhaps someone can correct me if I'm wrong
here), most popular instant messaging services (like AIM, MSN , Yahoo,
Jabber, etc.) exchange login credentials securely over SSL/TLS. Thus,
in my opinion, they differ from Telnet, IMAP, and POP in this respect.
However, they do generally seem to expose a user's screen name in the
application header. Thus, they may be unwise to use over Tor for
anonymity reasons. Certainly a warning about the risks that are
inherent in these instant messaging protocols is prudent, but I think
that the information leakage is probably no worse than what is
possible over HTTP.

>
> Thanks,
> --Roger
>
>

Kevin