funneling a wireless net's outbound connections through tor

Juliusz Chroboczek jch at pps.jussieu.fr
Mon Oct 1 22:39:03 UTC 2007 

>>You should not make traffic go transparently through tor, unless the
>>people using your network fully understand what tor is about, and what
>>are the associated security risks (such as exit nodes performing MITM
>>attacks on SSL certificates).

>      Thank you for your opinion, but it was not particularly relevant to
> what I posted.

Perhaps this tone is not absolutely necessary?

>      First, please reread what I wrote.  I will be providing a *free
> wireless access* service to my neighbors.  Even if I tell them *nothing*,
> they will be better off than without the service.

No, they won't.  Non-technical people often assume that DNS and
routing are secure.  We know they aren't, but they don't.

By routing their traffic transparently through tor, you increase their
chance of exposure to MITM attacks.  Unless you warn them, you'd
actually be doing them a disservice.

>      Third, you didn't even ask whether I might have already given some
> thought to the matter of educating/informing my neighbors about how their
> TCP connections and name server queries will be reaching the Internet and
> how responses will be returned from the Internet.
[...]
> It is quite possible that I will never have any direct communication
> with many of my neighbors, so requiring them to reconfigure their
> applications, which may include more than mere web browsers, to use
> an HTTP proxy is out of the question.

So are you or aren't you in touch with them?

>      Fourth, my primary motivation for running my neighbors' connections
> through tor is to protect *me* from whatever *they* are doing.  The fact
> that routing their connections through tor should also give *them* some
> protection is a purely secondary benefit.

You will have the same amount of protection if you put a stateless
firewall (with no interception) that forces them to go through the
proxy.  Please re-read the following:

>>Instead, put a simple stateless firewall on your network, and redirect
>>port 80 traffic to a web server that explains how to set up their web
>>browser to go through tor.

> It also would not be of any use to network applications that do not
> use HTTP.

Please re-read the following:

>> Please make sure that your HTTP proxy allows CONNECT to TCP ports 22,
>> 80, 109-110, 143, 443, 873, 993 and 995.  22 is especially important
>> if there are any geeks in your neighbourhood.

CONNECT is a sub-protocol of HTTP that is used to tunnel non-HTTP
protocols through an HTTP proxy.  It's sort of like SOCKS, but cleaner.

                                        Juliusz

More information about the tor-talk mailing list