On 10/20/06, Paul Syverson <[EMAIL PROTECTED]> wrote:
... What exactly is an answer? I don't know. Many people who are on this list have hints of ideas that will help somewhat and they have been raising them, implementing them, analyzing them in papers, etc.
i'm fond of the transparent proxy router approach we've used to try and fail safe for most protocols (at least with respect to the DNS leaks and covert TCP connections via Java/Flash/etc).[1] this doesn't do much for identifiers in the data stream (although privoxy/squid do scrub the transparent HTTP which is visible), and probably won't until significant effort is employed for protocol/application specific content filtering proxies. until then, user beware...
It might be good to have a testing page that is part of the setup wizards in some way as well as being fairly prominent on the homepage.
it would be nice to have a detailed proxy checker available that looks at these Java/Flash/RealPlayer/etc holes. right now there are a handful of common http proxy checkers but these look for headers and IP at best. does such a thing exist? i would be willing to host (although i suspect others would have done so already were a tool available). 1. http://janusvm.peertech.org/ uses a pptp vpn connection to force a default route through the virtual machine providing transparent TCP and DNS proxy through Tor. this defeats all of the covert TCP connection attacks designed to circumvent browser/application level SOCKS/HTTP proxy settings, but does not address identifying data within the TCP streams. [people have been asking about non-Win support, and this will be forthcoming in the next few months via openvpn for *bsd/linux/solaris/mac]