chaining JAP and Tor

Exile In Paradise exile at weylan-yutani.com
Thu Jul 21 15:52:21 UTC 2005 

On Thu, 2005-07-21 at 15:25 +0000, Ben Clifford wrote:
> Here I outline a methodology for doing this and I would be very interested 
> to hear back as to what people think of its validity. It requires you to 
> have both JAP and Tor installed on your system. The JAP client is set up as 
> to use the mix cascade system (ie. it is set as an HTTP proxy in your 
> browser and NOT a Socks proxy).

AFAIK, JAP is totally compromised by at least the German gov't.
There are many long-running discussions in the Freenet/Frost forums
about JAP being compromised. Most Freenet users refuse to use it.

> In the configuration settings JAP has the option to use a proxy. In the JAP 
> proxy tab enter Tor as a SOCKS proxy
> The data flow will then be as follows....
> 
> 1) browser (http/https/ftp) points to JAP client
> 2) JAP client
> 3) data sent through ISP
> 4) data sent through Tor
> 5) data goes through JAP mix cascade
> 6) data arrives at target website

This configuration allows the people who compromised JAP to trace
all of your traffic, even into the TOR network. Even if the traffic
was encrypted before entering JAP, traffic analysis is possible.

> So, first your ISP IP is passed to Tor. Tor IP is then passed to JAP. JAP IP 
> is then passed to target website.

The configuration above seems to imply your traffic is passed to JAP
first, making that the first/best point to compromise the entire
channel.

> Note that this arrangement does not address the DNS problem with Tor (see 
> Tor documentation). For this we need to use an arrangement incorporating 
> Privoxy.
> Here in the JAP proxy tab Privoxy is entered as an HTTP proxy, with Privoxy 
> being configured to work with Tor (see Tor website for details on this).
> 
> 1) browser (http/https/ftp) points to JAP client
> 2) JAP client
> 3) data sent through ISP
> 4) data sent through privoxy + Tor
> 5) data goes through JAP mix cascade
> 6) data arrives at target website
> 
> To reiterate, would be so grateful if people could get back to me as to 
> whether what is outlined here is correct.

Personally, IMHO, I would drop the JAP connections entirely, due to
the numerous complaints I have read on Freenet about how it has been
backdoored/compromised by elements of the German government, and 
possibly others.

I personally have not examined the source (if available) and everything
I am reporting is purely hearsay. But, I thought it worth mentioning
so that you could do your own research about the possibility.
-- 
Exile In Paradise
A Thaum is the basic unit of magical strength.  It has been universally
established as the amount of magic needed to create one small white pigeon
or three normal sized billiard balls.
                -- Terry Pratchett, "The Light Fantastic"

More information about the tor-talk mailing list