[tor-talk] On verifying security of Tor Routers idea

Fabio Pietrosanti (naif) lists at infosecurity.ch
Wed Dec 21 12:32:18 UTC 2011

I sketched down an idea of a possible process and phases to setup a
system to monitor the security of the Tor Routers by using Nmap
portscanning facility with application fingerprinting, by not using an
invasive Nessus testing.

PHASE-0: Define a best practice
PHASE-1: Handle periodic scanning+alerting
PHASE-2: Public aggregated Security statistics
PHASE-3: Add CVE vulnerability checking
PHASE-4: Full Public Disclosure
PHASE-5: Introduce a Tor Security Rating

Probably with 0.1/1 day python coding it can be done with a stateless
system (no no change management monitoring, etc).

A dedicated server with a reasonable hostname
(tor-portscanner.domain.tld) and with a web page explaining the project
would be required.
Possibly something with a customized whois to prevent annoying reports
from people that automatically send abuse-complaint (It's fun to see
that there are Tor Servers that if are portscanned automatically send an
abuse complain!).

PHASE-0: Define a best practice

Define a best practice from system and network security point of view.

Something like:
- Don't internet expose services that are not strictly required to keep
the Tor Router functionalities (for example Tor + SSH)
- Don't internet expose outdated/vulnerable software
- Don't run outdated Tor version

PHASE-1: Handle periodic scanning+alerting

a) Extract list of all Tor Router + Contact Info

b) Portscan all Tor Router, save it via XML

c) Cleanup the XML scan from the Tor Used port (for the specific Tor Router)

d) Send an email with portscan results to the Contact info informing him
about the current status of Non-Tor specific opened port

PHASE-2: Public Statistics

e) Create statistics
  - Count how many Routers have X amount of ports opened
  - Show (sorting by "amount of open port) the list of Tor Routers
  - Count for each port, how many Tor Routers have it opened
  - Show for each port, the port statistics

f) Publish the Statistics result Summary

PHASE-3: Add CVE vulnerability checking

g) Use CVE scanning to match Vulnerability Level using as input data
   - "Nmap Application Fingerprinting"
   - "Tor Version"

  - Add data to the email sent to Tor Router Contacts the CVE
vulnerability match
  - Publish statistics for vulnerabilities present on the Tor Network
based on CVE statistics

PHASE-4: Full Public Disclosure

When the network reached a good level of Network security  with almost
no or few security vulnerabilities, it would seems reasonable to me to
do full-public disclosure of that process and data.

I mean, those kind of data can be collected by anyone with 2 command
line, so they are not secret and it's not difficult to retrieve it.

So it's reasonable that, after a first assessment period, they got

So in that phase also the "raw data" will be provided.

The name of Tor Nodes, hostname, IP address associated with result of:
- Portscan
- Application Fingerprinting
- Matching with the CVE database
will be fully internet exposed dynamically, with grid where a person
would be able to see statistics of various type:

- All outdated Tor Servers
- All Tor servers running outdated software
- All Tor Servers running un-needed services (like a SQL Server)
- TOP opened ports servers

PHASE-5: Introduce a Tor Security Rating

Let's define a "Security rating" to provide a "number" associated with
each Tor Router.
That number could represent the "compliance" respect to a Best Practice.

All nodes would get assigned a Security Rating and that security rating
may be then used directly by Tor Client, for example to use only Tor
Routers that are known to respect the Best Practice.

>From here a continuous ongoing process will always guarantee and show in
a transparent way which servers are following a best practice.

In the end by implementing a process like that, in the medium term the
Tor Network will be much more secure because there will be a public
incentive in keeping a Tor Router secure and following a best practice.

More information about the tor-talk mailing list