[tor-talk] Pissed off about Blacklists, and what to do?

Fabio Pietrosanti (naif) lists at infosecurity.ch
Sun Mar 9 09:21:52 UTC 2014

Il 3/8/14, 8:39 PM, Paul Syverson ha scritto:
> If you naively view Tor as Yet Another Pulbic Proxy, I agree. But this
> is the same thinking that leads you to block all encrypted traffic you
> aren't MITMing. There may be environments where it makes sense, but
> most of the time you are hurting yourself more than you are helping,
> And enough places have learned that preventing encrypted traffic hurts
> them that many people reading this probably don't remember when it was
> commonly argumed that the opposite was preferable.  If you have
> customers or employees that could benefit from personal defense in
> depth or if your corporate operations do, then you are unnecessarily
> hurting yourself. As Andrew noted, if you just buy a box and use its
> defaults, you probably aren't getting what you want.  Directing
> incoming Tor traffic appropriately, possibly requiring extra
> authentication steps for anything where you don't need to permit
> anonymous-from-you access to your services, makes much more sense.

>From a Perimeter Security point of view Tor is a public proxy service,
that enable someone to connect indirectly to a remote IT system hiding
your IP.

What you suggest is "good common sense" for a "properly well organized
and well funded" large organization, where the "IT Governance" and the
"Security Governance" works very well together.

But in the dirty-real-world, enterprise application development is done
trough a series of contractors, IT is often managing the application's
infrastructure while Security is managing the perimeter security and
incident response.

In a situation like that it's organizationally and politically very
difficult to make the decision that you are suggesting, requiring some
internal stakeholder to became the sponsor of "very ponderate decisions"
against public proxy service users.
A decision to "manage in a soft way connections coming from public proxy
services" need more effort than just blocking it.

So, let's assume we have an internal sponsor in a large organizaiton
that want to use a soft approach.
The decision will reach some very high level senior manager (being the
IT manager or Security Manager).
That 1st level management will will ask some very simple questions in
order to take decision:

* Which is the business impact?
* Do we have numbers on how many of our customers have this behavious of
shielding their IP?
* Of those who shield their IP, how many are already our customers?
* Which are the residual risks we're opening by managing softly rather
than blocking?
* What other companies are doing with this problem?
* What our super-senior security advisor think of this problem?
* What our IT Security Product Vendor recommend about this problem?
* How much does it costs to manage in a soft-way?

Frankly speaking i think that in most of the situation the decision will
not be in favour of managing in a soft way (especially not for resources
that could be abused).


More information about the tor-talk mailing list