>> The transparently proxied operating system does not know it's real external > IP, only it's Tor exit IP. And can therefore never leak it's real external > IP. > > I see this claim made all the time — is it actually true? Is Tor > designed > to withstand active attacks where Torified applications try > to discover the > real IP? >
This is an very interesting and important question. I'd like to see more replies. There are three ways to torify. Torified through http/socks-proxy settings and "about:config", certainly not. (DNS leaks depend on "about:config, which malware wouuld not honor.) Torified through usewithtor? usewithtor ifconfig anyone? I don't know. It's probable a redirector, not a jail. Torified through TransPort and DnsPort... You can look into our setup. IP-forwarding is disabled, iptables default forward and input is drop, when Tor is disabled, not network connections are possible. Iptables redirects to TransPort and DnsPort. No leaks possible *. We have also a sub page TorBOX/LeakTests and all went negative. Additionally, Skype, which is known for it's ability to punch through firewalls was not able to non-torified connections. What I don't like to advertise is, that also Bittorrent doesn't leak the IP (there is an online bittorrent leak tester). I am against Bittorrent but for leak testing it was welcome. * and here comes the "trick". Our implementation, TorBOX, does not protect against attacks against Tor. That is easy said and it is simple. 1. We don't try to defend against network attacks, the usual things discussed, like a massive amount of evil nodes. We leave that to the Tor developers. If I could help against such attacks, I would help, but I can't. TorBOX is based on Tor. Any successful attacks against Tor, does also work against the transparently proxyied operating system. This will result in 2. if SocksPort and DnsPort, which TorBOX heavily relies on, can be exploited, then it's also game over. I haven't found any reference, that there is a "feature" to obtain the users real IP address through either SocksPort or DnsPort. Neither there seams to be no such known bug. If there were such a bug found in the future, which is possible, then we would hope, that the Tor developers fix that bug. We hope that compile time hardening features will be added (bug #5024 and #5210). Additionally we are working on AppArmor profiles. There are other attacks thinkable, which we can not defend against. For example, if an adversary controls your entry node and has access to the transparently proxied operating system. He can simply use "morse" (5 seconds much traffic, 10 seconds no traffic...) And then observe it's incoming connections. Then it's game over as well. IP protocol leaks, like this [1], Skype or Bittorrent are not possible. This already justifies for me to use a "no non-Tor connections possible" approach. When you go ahead now, and ask in a cracker forum, they probable won't spread a simple method to get the real IP of the transparently proxied operating system. On the other hand, if you run an intelligence service and have 100.000 $ left over, you can announce something like "find a new exploit in Tor's SocksPort and get 10.000 $". Qualified people start looking into it and might find something. [1] https://tails.boum.org/security/IP_address_leak_with_icedove/index.en.html ______________________________________________________ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
