[tor-talk] corridor, a Tor traffic whitelisting gateway

Patrick Schleizer adrelanos at riseup.net
Fri Feb 14 15:17:35 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Rusty,

this is an interesting concept.

Do you know Whonix [0]? (Full disclosure: I am a maintainer of
Whonix.) It is an Isolating Proxy [1] with an additional Transparent
Proxy [2] (Anonymizing Middlebox), which can be optionally disabled.

Rusty Bird:
> # corridor, a Tor traffic whitelisting gateway
> 
> There are several transparently torifying gateways. They suffer
> from the same problems:
> 
> - It's tricky to isolate circuits and issue NEWNYM signals,
> especially if multiple client computers are involved. - Any garbage
> software can pump identifiers into "anonymous" circuits, and get
> itself exploited by malicious exit nodes. - Trust is centralized to
> the gateway, which is bad enough when used by one person, and just
> inappropriate when shared with strangers.
> 
> **corridor takes a different approach. It allows only connections
> to Tor relays to pass through (no clearnet leaks!), but client
> computers are themselves responsible for torifying their own
> traffic.**

What's the threat model here? As I understand, it's ensuring stream
isolation for one workstation while another workstation is
compromised. Please correct me, if I am wrong.

In comparison, Whonix's threat model is that applications running on
the workstation are not to be trusted. Even malware on the workstation
with root rights shouldn't be able to find out the user's real
external IP address.

With corridor, the workstations are allowed to contact any Tor relay,
right?

The problem is, anyone, including adversaries can run Tor relays.
Since the corridor gateway will allow the workstation to connect to
any Tor relay, an adversary "only" needs to set up it's own Tor relay
and once an application on the workstation (such as the browser) is
compromised, can find out the client's real external IP address.

I am wondering if the advantages of corridor and Whonix can be
combined. Without running Tor over Tor, which is recommended against. [3]

Cheers,
Patrick

[0] https://www.whonix.org
[1]
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
[2] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
[3]
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJS/jOOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2RTk3OUIyOEE2RjM3QzQzQkUzMEFGQTFD
QjhENTBCQjc3QkIzQzQ4AAoJEMuNULt3uzxIc+YQAIVRTyaIontkr3CTsF45EKXY
32NcfVcA0U2TuTu6cHekrp4qE2Bou91biurzOCudsniExF4WEcezwoXzfr5NMI2V
6ZPhAKoo2Xb2cCiY2f/itdhcMc3JximclhM7g34ABqmeIMbN1bCK+zjN6/sj0jZB
FMqyBIQuMCLQ3aaVlcu8HxhfAgZCV8brnC0QIHpq6uTo3VGRkCu9OjMtSM6h/hgN
Y8t+jPKaRu6iP7nFz77BaxxDureACnUZeyAW8CNd1zUnDBA2b19YWSisJyXmjsIa
GDcQu4gFo4F9jvcQIsovp1uCs5wnIRTANyg1aS221AK3uHJIbQgz1zNOlvBPwNYb
jrby2ZWGFqOVzTlxBwaTi3EYpjSFYEWijtSkb0aF+Qv1xsB4+3AYdKDfjbT2MEbS
bII4Y9lHcsTjvFmVkqMBz6AbjTc0tUshiVEBqnUnYIrA36iH+sDL20iexnwLynP+
2F4iFSG+7TgvfqV2ap2f73+hOcMeLJ4P7vi0bD+C/SIF8XmXSW9Y6P6u1g1e2Jkj
IW0XZ8ovA+kYDyj6yLU2n68LvcrnP3mzVivw6kYRYxIC+CIWt2hIdPidYT1KNbC5
yYK9tElYnHpDCFWMmXeU3/N5qkq02YfW5TwZ1iikQDcP2eeWfWFHN4IUMWepchiT
qHgbQMZChkxZYgOkq4Ut
=jNc8
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list