Applications Recommended For Use With Tor +++ PROPOSAL, DRAFT +++

Tue May 20 23:20:38 UTC 2008

Hello Alex,

I have been working on the security in regards to Tor for a couple of years
now, and I'm very pleased to hear that someone else is taking interest in
putting together a list of acceptable applications.  I have to agree that
the biggest threat to one's anonymity is going to be a bug/vulnerability in
a layer 7 application that gets leveraged into tricking the application to
no longer using the proxy, or using some other type of side-channel
feature/application which wasn't designed with Tor in mind.

I've already logged into the Wiki and updated the Test Procedures section.
Seeing as I've found lots of IP disclosure vulnerabilities in the past (and
future?), I for one would be more than happy to help with this.

One application that should never show up on this list is Internet
Explorer.  I've got two 0-days right now for IE, and they would totally
compromise your anonymity and security.  Don't worry, they've been reported
through 3Com's ZDI program and I'm waiting to see the fixes come out (who
knows when).
If you use Tor, DO NOT USE INTERNET EXPLORER!

Let the bug hunting continue!!  w00t!

- Kyle

On Tue, May 20, 2008 at 3:05 PM, Alexander W. Janssen <
alexander.janssen at gmail.com> wrote:

> Hi all,
>
> following up a discussion on #tor I made up a Wiki-article about the
> abovementioned subject.
>
> https://wiki.torproject.org/noreply/RecommendedSoftware
>
> Abstract: To create a list of "Applications Recommended For Use With
> Tor" [2]. Those applications must obey the rules of
> 1) using the proxy supplied
> 2) not leaking any information around the proxy
>
> Disclaimer: This is work in progress. This is only meant for your
> information. It's not a formal process, nor a written thing. I just put
> it for discussion. It's up to you to define the rules.
>
> Motivation: Tonight we were discussing if [1] is a reasonable thing or
> not. I pointed out that Tor, as a layer-3 routing-software, can't solve
> layer-4+ problems and that it should be up to "downstream-proxies" to
> solve the "untrusted TCP-port"-problem.
>
> However, several people disagreed with my opinion, pointing out that the
> real problem are the applications using Tor, compromising the anonymity
> of the user and the IP-address-obfuscation of the router.
> The real thing would be solving all those problems directly in the
> applications instead of sailing around the problems, using proxies and
> the such.
>
> Later, the point about Tor-safe and not-safe applications popped up -
> thinking of DNS-leakage, unsafe browser plugins. Those problems were
> reported before on this list about several products - related to several
> versions of those individual applications - but except the archive of
> this list this pieces of information _were never consolidated_. We just
> have a bunch of warnings that a certain application $foo in version $bar
> leaks DNS.
>
> Goal: To create a list of "Applications Recommended For Use With Tor".
> That'd give users a certain degree of confidence that the application
> (s)he's using isn't leaking information to the world when using Tor.
>
> I'd appreciate your comments and I'm awaiting your corrections on all
> the articles in the Wiki. (free registration required).
>
> The Wiki-article isn't linked to anywhere in the Wiki yet. That's on
> purpose until we sorted our all the basic questions.
> I'll be willing to set up a dedicated mailing-list for this subject,
> unless we can have on elsewhere.
>
> Cheers,
> Alex.
>
> [1]
>
> https://www.torproject.org/svn/trunk/doc/spec/proposals/129-reject-plaintext-ports.txt
> [2] Name made up by Nick. I like it, though I found it to be too bold.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080520/09dce696/attachment.htm>