On 2012-03-02, Andrew Lewman <[email protected]> wrote: > The trick is, I like to think I know what I'm doing and that I'll > notice if apt-get or my VM image fails to transfer untouched. Whether > I'll actually notice a sophisticated exploit in deb packages or my vm > image modified in perfect way that gpg or sha256 hashes don't detect, > remains to be seen. If I pulled a random person out of a barcamp and > asked them to do a OS X or Windows update over transparently proxied > tor, would they notice if the package was modified in transit? What do > these OSes do in this case? What about freebsd ports?
Every FreeBSD port's list of distfiles includes hashes and sizes of each distfile to be downloaded. If I remember correctly, the only required hash is SHA-256. portsnap and freebsd-update reportedly use good, competently designed crypto to verify the files they download before parsing them in a shell script with (necessarily) root privileges. portaudit downloads, ungzips and untars an unsigned file as root, then parses a text file extracted from what was hopefully a tarball in a shell script run (unnecessarily) as root. Sucks to be a FreeBSD user. But apt uses GPG (run with (necessarily) root privileges) to verify the files it downloads. Sucks to be a Debian user when someone finds another code-exec bug in GPG's parsing code. > Or other package > systems? What about all of the other software that updates itself > automagically without a system package manager? This is a bigger risk to anonymity -- automatic update-related operations run in the background on a transparent-proxied system can link the traffic you intended to anonymize with properties of your operating-system installation (e.g. on Debian, /etc/cron.daily/apt leaks your system's time zone and the set of package repositories that you install software from to your circuits' exit node(s)). Windows users are at much greater risk from this, because most people install lots of crap software, thereby marking their systems (and thus their Tor circuits) with a unique set of automatic updaters. Of course, if you live in Iran, you're probably better off taking your chances with exit-node roulette than downloading unsigned, unverified updates directly through a known-malicious ISP. Just don't expect your transparently proxied traffic to stay anonymous. Robert Ransom _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
