Torpark and security
Michael Holstein
michael.holstein at csuohio.edu
Tue Feb 21 13:18:34 UTC 2006
As far as I can tell, the SSL stuff is wrapped in TLS before going over
TOR, so no -- you wouldn't see the original IP (there are other ways,
like with Javascript or flash, to get this information -- so hopefully
you're running Firefox + NoScript + Flashblock at a minimum)
As for getting the logs, there aren't any (unless you turn on debugging)
-- and firewall logs (et.al) can be configured to ignore the TOR server.
I am (for example) running syslog-ng on our firewall logs. My TOR server
is 137.148.5.13, thus my syslog-ng filter entry for firewall stuff looks
like this :
filter f_firewall { host(firewall) and not match("137\\.148\\.5\\.13\\
Accessed\\ URL") \
and not match("137\\.148\\.5\\.13\\/") and \
not match("Accessed\\ URL\\ 137\\.148\\.5\\.13"); };
Therefore, nothing from the TOR box gets logged anywhere (this also
omits directory requests inbound to the TOR server). Argus is similarly
configured via a BPF expression.
IMNAL, but I think that makes my traffic data pretty subponea-proof,
since I can honestly say under oath that it dosen't exist (albeit
intentionally). There's no law that says I can't selectively ignore
something in the logs -- provided I haven't already been told to do it
(eg: such a configuration AFTER receiving a subponea would be illegal).
Cheers,
Michael Holstein CISSP GCIA
Cleveland State University
More information about the tor-talk
mailing list