[tor-relays] Network Scan through Tor Exit Node (Port 80)

[Chris Palmer]

On Feb 27, 2011, at 8:59 AM, mick wrote:

> in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990,
> as amended by the Police and Justice Act of 2006 makes such
> "reckless" activity an offence. 

I'm not sure how it counts as "reckless" to connect to a TCP port and then disconnect.

The kind of research I'm talking about — us, Kaminsky, Bernstein, et al. — involves simply talking to every server once. For example, the SSL Observatory does a "scan" that is very similar to what happens when a user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months. Out of 4 billion IP addresses, we got one complaint that I know of.

This work is not hostile or dangerous. It is clearly beneficial to the internet community. We've convinced CAs to tighten their loose certification standards, convinced them to meet the EV spec when we found they weren't, and provided hard evidence to fuel substantive debate on PKI policy. Nick and Jake are using the results to improve Tor. That's just to start.

It's also worth nothing that the various tricks to hide or evade IDSs that some scanners like Nmap can do, tend not to work over Tor since Tor normalizes TCP streams before exiting.

Port scanning can sometimes be the precursor to hostile activity, but it is not in itself hostile, and it is often either for a good cause or *indistinguishable from normal application activity*.


-- 
Chris Palmer
Technology Director, Electronic Frontier Foundation