[tor-dev] design for a Tor router without anonymity compromises

[coderman]

On 5/4/15, coderman <coderman at gmail.com> wrote:
> ...
> this deserves a longer answer, but you're right. if the attacker is
> using Tor itself a Tor enforcing gateway can't protect against those
> attacks.

i have updated the document to make this more clear.

it is hard to express the nuance of vulnerability here. for example,
on Windows, if you can access file APIs, even from within a sandbox,
you can reference a network path (WebDAV, SMB, etc) that leverages
system services to make a proxy bypass request, or socks wrapper
bypass request.

that is a very different level of risk compared to arbitrary remote
execution with priv escalation - at the end of that chain, your
attacker can read serial numbers off components for a perfect match,
then report the results back along the hidden service command and
control link.

the first can be mitigated by a Tor enforcing router, while the second
is game over every time.

there is a rich field of mixed threats in-between, and mitigating
measures clients can take, but the short of it is that endpoint
security is and always will be critical to security and privacy.

best regards, and thanks again for your questions!


p.s. i also changed the Onion service FAQ entry to mention that
One-time ephemeral hostnames are used by default, with the persistent
and vanity hostname options available to opt-in explicitly.