[tor-talk] Operating system updates / software installation behind Tor Transparent Proxy
rransom.8774 at gmail.com
Fri Mar 2 05:19:25 UTC 2012
On 2012-03-02, Andrew Lewman <andrew at torproject.is> wrote:
> The trick is, I like to think I know what I'm doing and that I'll
> notice if apt-get or my VM image fails to transfer untouched. Whether
> I'll actually notice a sophisticated exploit in deb packages or my vm
> image modified in perfect way that gpg or sha256 hashes don't detect,
> remains to be seen. If I pulled a random person out of a barcamp and
> asked them to do a OS X or Windows update over transparently proxied
> tor, would they notice if the package was modified in transit? What do
> these OSes do in this case? What about freebsd ports?
Every FreeBSD port's list of distfiles includes hashes and sizes of
each distfile to be downloaded. If I remember correctly, the only
required hash is SHA-256.
portsnap and freebsd-update reportedly use good, competently designed
crypto to verify the files they download before parsing them in a
shell script with (necessarily) root privileges.
portaudit downloads, ungzips and untars an unsigned file as root, then
parses a text file extracted from what was hopefully a tarball in a
shell script run (unnecessarily) as root. Sucks to be a FreeBSD user.
But apt uses GPG (run with (necessarily) root privileges) to verify
the files it downloads. Sucks to be a Debian user when someone finds
another code-exec bug in GPG's parsing code.
> Or other package
> systems? What about all of the other software that updates itself
> automagically without a system package manager?
This is a bigger risk to anonymity -- automatic update-related
operations run in the background on a transparent-proxied system can
link the traffic you intended to anonymize with properties of your
operating-system installation (e.g. on Debian, /etc/cron.daily/apt
leaks your system's time zone and the set of package repositories that
you install software from to your circuits' exit node(s)). Windows
users are at much greater risk from this, because most people install
lots of crap software, thereby marking their systems (and thus their
Tor circuits) with a unique set of automatic updaters.
Of course, if you live in Iran, you're probably better off taking your
chances with exit-node roulette than downloading unsigned, unverified
updates directly through a known-malicious ISP. Just don't expect
your transparently proxied traffic to stay anonymous.
More information about the tor-talk