[tor-talk] corridor, a Tor traffic whitelisting gateway
Rusty Bird
rustybird at openmailbox.org
Sat Feb 15 12:15:36 UTC 2014
>>> The problem is, anyone, including adversaries can run Tor
>>> relays.
>
>> Interesting consideration. I'd prefer limiting the tor_routers
>> ipset to relays with a Guard flag, which would make an attack more
>> difficult to pull off.
>
> Getting the guard flag isn't really difficult.
It won't make attacks much harder for malicious relays, yes. But keeping
unusual Tor traffic, like entry to a non-Guard, off the network may be
worthwhile for other reasons.
> It's an documented and automated process.
What is that process?
>> But a freshly installed Tor client will not necessarily fetch its
>> first consensus through a Guard, right?
> Some guards and directory mirrors are hardcoded in Tor.
I only see the directory authorities, what code bakes in guards and
directory mirrors? If you meant the authorities, how about limiting the
ipset to relays with a Guard *or* an Authority flag.
> Corridor's advantages:
> - streams from different workstations can never share a circuit
The more essential point is that client computers don't have to trust
the corridor gateway to provide anonymity. That's huge if you're
offering your internet connection to strangers: Their only choice if
they don't trust a *proxying* gateway would be to run Tor over Tor.
> Whonix's advantage:
> - malicious software on the workstation can not find out it's real
> external IP address
With a filtering gateway (corridor), a malicious software M on the
client computer can instantly and directly contact a colluding relay.
With a proxying gateway (Whonix), M can only do that when the gateway
uses that relay as a Guard, and M has to open a covert channel, e.g.
request/response timing.
Kudos to you for bringing this issue to light. I will document that
corridor cannot prevent well-orchestrated leaks, and that there is no
replacement for securing your client computer (which was never my
intention to imply).
> I am wondering, can we get both advantages using just one gateway?
If you also count the question of who to trust, yourself (the client) or
the gateway, then with just one gateway, no. Whoever you trust more is
who you want to build your circuits.
Still, you can put corridor between your Whonix box and your modem/
router (or directly on the latter if don't use clearnet at all) as a
simple fail safe mechanism:
$ wc -l corridor-*
11 corridor-data-bridges
60 corridor-data-consensus
17 corridor-forward
17 corridor-helper-update
105 total
Rusty
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140215/6d62f77c/attachment.sig>
More information about the tor-talk
mailing list