A Tor Web Service For Verifying Correct Browser Configuration

Nick Mathewson nickm at freehaven.net
Sat Mar 22 15:57:57 UTC 2008

On Sun, Mar 16, 2008 at 08:25:47PM +0000, Robert Hogan wrote:

{For reference, this is now proposal 132.  See 

> Filename: xxx-browser-check-tor-service.txt
> Title: A Tor Web Service For Verifying Correct Browser Configuration
> Version: $Revision: 13955 $
> Last-Modified: $Date: 2008-03-16 18:51:55 +0000 (Sun, 16 Mar 2008) $
> Author: Robert Hogan
> Created: 2008-03-08
> Status: Draft

Hi, Robert!  I'd like to ask about a couple of alternative designs
that periodically come up for this problem, and ask about security

The two main alternative designs are:  
   - Use a remote "am I using Tor" page.

     This handles tests 2 and 3 pretty easily, and with a little
     effort can be made to do test 1.

   - Have a controller do it without modifying, or with minimal
     modifications to, the Tor client.

     Test 3 (net connectivity by Tor) is as easy as looking for
     whether Tor can build a circuit, I think.  For test 2 (is browser
     using Tor), just use a MAPADDRESS command to replace a randomly
     chosen unique ID hostname with (say) torproect.org.  For test 1
     (is browser using Tor for DNS), send the browser to request a
     random hostname, and then look in Tor's DNS cache to see whether
     Tor has a cached entry there.

     [There may be better ways to do these.]

The security implications as near as I can tell are:

    * It adds a way to tell if people are using Tor: when they test an
      instance of Tor that isn't configured properly, they'll leak
      pretty identifiable requests to one or two well-known addresses.

    * There are lots of attacks this doesn't solve, particularly
      browser-based ones.  We could solve this by having a link to a
      remote "am I using Tor right" page, I guess.

    * It adds another local resource that speaks HTTP; experience
      suggests that we should think about whether remote pages can use
      links or javascript to redirect users here in a way that will be
      useful to an adversary.

None of these seem really terrible to me at the moment, but we should
analyze them.

What do you think?

More information about the tor-dev mailing list