Re: geeez...
On Jan 12, 2011, at 9:01 PM, Roger Dingledine wrote: On Thu, Jan 13, 2011 at 01:17:33AM +0100, Mitar wrote: On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry mikepe...@fscked.org wrote: and to suggest solutions for their security problems that involve improving their computer security for the Internet at large (open wifi, open proxies, botnets), I am not sure what you mean by that? That there should not be open WiFi because it improves security? Or that because there are open WiFis, open proxies, botnets you have to secure your systems anyway? I assume he meant the latter -- there are many ways that people can reach your website and have their IP address not really linked to the human making the connection. This is related to the if you remove Tor from the world, you're not really reducing the ability of bad guys to be anonymous on the Internet idea. See also my first entry at https://www.torproject.org/docs/faq-abuse But how do you secure them against abusive behavior (blackmailing, posting abusive content...)? By making your decisions based on the application-level content rather than the routing of the packets. If you have a forum, and it has jerks, then you need to learn about accounts and authentication. If it stays bad, you need to learn about reputation, or moderation, or various other techniques people have developed over the years to deal with abuse. There is probably a reasonable argument that identification would help with security here. No? It depends where your jerks are coming from. If your jerks are all obeying every law and showing up from their static non-natted IP address, then yes, routing address is definitely related to identity. But if your jerks have ever noticed this doesn't work so well for them, they may start using other approaches and suddenly you're back needing to learn about application-level mechanisms (or you're back being angry at the Internet for not giving you identification by IP address; if blocking by IP address is the only abuse prevention mechanism you've got, you're going to spend a lot of your life angry). For more on this topic, I'd point you to a short article a few years ago by Goodell and Syverson called The Right Place at the Right Time: Examining the Use of Network Location in Authentication and Abuse Prevention -- but in going to hunt for it I can't find it available online anymore. Proprietary publishers suck I guess. :( --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ Thank you Roger! jlj --- Jay Le Jaroslav jaros...@multicians.org *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Strange problem
On Sat, Mar 20, 2010 at 5:25 AM, zzzjethro...@email2me.net wrote: I know that Google is somehow involved with Tor though I don't understand it much at all. Just that it can show up in different languages when on the web. Tor has exit nodes all over the world, and Google geolocates your IP address to decide what language to use. So if you're using Tor and the exit node is in Germany (e.g. to Google it looks like you're in Germany), then Google will show up in German. Google actually isn't involved in Tor. There's lots of websites that geolocate your IP address and behave differently depending on what part of the world they think you're in. I believe hulu.com won't let you watch video if you're not in the US, and BBC won't let you stream video unless you're in the UK. Micah *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
On 2/12/10, Michael Holstein michael.holst...@csuohio.edu wrote: Could you bind your exit traffic to IPs outside your University's primary block? Not sure what you mean by bind to outside IP, but our network is a contiguous /16. We would have to register for extra /24s from ARIN, and that costs money. Not necessarily. Ask about getting an address block from your ISP - it might be included in your contract. Regards, Lee *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Microsoft .NET Add-on
How to remove the .NET Framework Assistant for Firefox http://support.microsoft.com/kb/963707 https://addons.mozilla.org/en-US/firefox/addon/9449 http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Re: Re: My tor exit node is STILL gone from the node list
Hi Alexandru, On 8/4/09, Alexandru Cezar t...@ze.ro wrote: Hi list, hi Lee, It at least shouldn't be a problem for TOR, because it has worked with that setup for months. Unless you know for sure that nothing has changed on the path between your server and all the directory servers you don't know if path MTU discovery being broken (if it really is) is a new problem or not. I have again spoken to my ISP and they say routing is fine. Routing could very well be just fine PMUTD still be broken.. but it looks like the problem is with Ecatel network announcements. Check this out: http://bgplay.routeviews.org/bgplay/ give it your network (89.248.169.0/24), select the last few days and watch how the route bounces around. I'd suggest getting a list of the directory servers and creating a script that tries to connect to each one every 20-30 minutes. Log the status of each connection attempt and, assuming there's some failures, go back to your provider with the list of IP addresses and times when you couldn't connect to them. Give them specific times IP addresses and they might be able to fix whatever it is. What all do the directory servers need to do/see before marking your server as a good exit? It'd be nice to know what they can't do that's keeping your server from being marked as a good exit.. I'm interested in that as well. I still cannot get it to be flagged 'Running' reliably. Would TOR logging on my side help on this? I guess not? I have no idea, but it couldn't hurt to enable logging and see if there's anything interesting logged. Appreciate any help, I'm sure you don't mind getting 4MB/s exits back. ;-) It'd be nice if somebody could give you the status/timestamp of your server as seen from the directory servers. That might be enough to help your provider figure out what the problem is. Regards, Lee
Re: My tor exit node is STILL gone from the node list
Considering how many places block ICMP, traceroute is not a good way to determine connectivity. telnet 89.248.169.109 80 works for me and traceroute doesn't: C:\tracert 89.248.169.109 Tracing route to 89.248.169.109 over a maximum of 30 hops .. snip .. 15 105 ms 105 ms 105 ms 149.6.129.22 16 104 ms 102 ms 104 ms access.carrier.jointtransit.nl [213.207.0.245] 17 *** Request timed out. 18 *** Request timed out. 19 *** Request timed out. 20 *** Request timed out. 21 *** Request timed out. 22 *** Request timed out. 23 *** Request timed out. 24 *** Request timed out. 25 *** Request timed out. 26 *** Request timed out. 27 *** Request timed out. 28 *** Request timed out. 29 *** Request timed out. 30 *** Request timed out. Trace complete. Regards, Lee On 7/20/09, Olaf Selke olaf.se...@blutmagie.de wrote: Alexandru Cezar schrieb: It seems as if the node is unreachable from some of the authority servers, but I have no idea what to do about that. My ISP says that routing is fine and everything should work as expected. I don't understand why the node stays listed for a few hours before disappearing. Can someone please help me get this 100EUR/mnth node up again? traceroute from blutmagie ends at amsix peering anonymizer2:~# traceroute 89.248.169.108 traceroute to 89.248.169.108 (89.248.169.108), 30 hops max, 60 byte packets 1 195.71.90.1 (195.71.90.1) 0.557 ms 0.547 ms 0.541 ms 2 xmws-gtso-de01-vlan-176.nw.mediaways.net (195.71.109.218) 1.381 ms 1.475 ms 1.522 ms 3 rmwc-gtso-de01-ge-0-2-0-0.nw.mediaways.net (195.71.12.57) 28.666 ms 28.665 ms 28.681 ms 4 rmwc-amsd-nl02-gigaet-2-0-0.nw.mediaways.net (195.71.254.182) 11.460 ms 11.458 ms 11.454 ms 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 *^C Olaf
Re: My tor exit node is STILL gone from the node list
On 7/20/09, downie - downgeo...@hotmail.com wrote: Moria now thinks you are at 89.248.169.109 Traceroute and Netcat both fail from AS13285 in the UK: Try netcat with the current address of 89.248.169.109 instead of .108 ..snip.. nc -v -w10 89.248.169.108 8080 89.248.169.108: inverse host lookup failed: Unknown server error (UNKNOWN) [89.248.169.108] 8080 (http-alt) : Operation timed out GD To: or-talk@freehaven.net Subject: My tor exit node is STILL gone from the node list From: t...@ze.ro Date: Mon, 20 Jul 2009 18:46:03 +0300 Hi list, I am still struggling to get my server back on the list of Tor nodes. For several months it was among the top 5 nodes, pumping 15TB a month. I am paying a lot of money for that machine, and I don't see why it just doesn't work any more. Let me reiterate what's happening: Since April, the node disappears from the node list after a few hours of running. I have tried to change exit policies, node name, node keys, ports and IP (within the same subnet). After the IP change the node was listed (and used) for several hours before it vanished. There's nothing about in the log file. It seems as if the node is unreachable from some of the authority servers, but I have no idea what to do about that. My ISP says that routing is fine and everything should work as expected. I don't understand why the node stays listed for a few hours before disappearing. Can someone please help me get this 100EUR/mnth node up again? Information about the node: Current IP 89.248.169.109 (previously 89.248.169.108) Nickname kyirong2 (previously kyirong) Fingerprint D3EB 3132 99A0 082A 4A4E 10E0 EB75 8E4F 0163 F4F0 (Old fp: A8BD 32A9 C2F2 0C4F 8ED2 C26C E477 0A24 85E3 CD22) Tor 0.2.1.17-rc Debian DirPort 80, ORPort 8080 -- Alexandru -- - www.posta.ro - Romanias first free webmail since 1998! _ - powered by www.posta.ro _ NEW mobile Hotmail. Optimized for YOUR phone. Click here. http://windowslive.com/Mobile?ocid=TXT_TAGLM_WL_CS_MB_new_hotmail_072009
Re: My tor exit node is STILL gone from the node list
On 7/20/09, Olaf Selke olaf.se...@blutmagie.de wrote: Lee schrieb: Considering how many places block ICMP, traceroute is not a good way to determine connectivity. telnet 89.248.169.109 80 works for me and traceroute doesn't: oops, you're right! The same here. I didn't notice that before. Nevertheless blocking icmp at peering points is very unusual. Maybe path mtu discovery is broken if icmp is completely blocked. No maybe about it - if icmp is completely blocked path mtu discovery _is_ broken. 89.248.169.109 doesn't answer a ping, so I don't know of an easy way to check if that's the problem or no. Lee
Re: Re: My tor exit node is STILL gone from the node list
On 7/20/09, Alexandru Cezar t...@ze.ro wrote: 89.248.169.109 doesn't answer a ping, so I don't know of an easy way to check if that's the problem or no. It at least shouldn't be a problem for TOR, because it has worked with that setup for months. Unless you know for sure that nothing has changed on the path between your server and all the directory servers you don't know if path MTU discovery being broken (if it really is) is a new problem or not. To avoid further confusion, I have enabled answers to ICMP requests. Thanks. Path MTU discovery isn't a problem between me your server - 1500 bytes gets there and back no problem: C:\ping -f -l 1472 89.248.169.109 Pinging 89.248.169.109 with 1472 bytes of data: Reply from 89.248.169.109: bytes=1472 time=118ms TTL=48 Reply from 89.248.169.109: bytes=1472 time=118ms TTL=48 Reply from 89.248.169.109: bytes=1472 time=118ms TTL=48 Reply from 89.248.169.109: bytes=1472 time=118ms TTL=48 Ping statistics for 89.248.169.109: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 118ms, Maximum = 118ms, Average = 118ms (On Windows it's 1472 bytes of data + 20 bytes IP header + 8 bytes ICMP header = 1500) What all do the directory servers need to do/see before marking your server as a good exit? It'd be nice to know what they can't do that's keeping your server from being marked as a good exit.. Lee
Re: Re: My tor exit node is STILL gone from the node list
On 7/20/09, Alexandru Cezar t...@ze.ro wrote: Best of luck getting your provider to straighten out the routing. I have limited experience in running servers. From what I found out, my Xen dom0 is traceable (89.248.169.106), while the virtual host running TOR is not (89.248.169.109, vif-bridge). I can still access the web server running on 109 though. Is this a Xen misconfiguration? I can't think of anything that I have changed. Have you talked to your provider about reachability? Earlier I couldn't do a traceroute to your machine now I can: C:\tracert 89.248.169.106 Tracing route to 89.248.169.106 over a maximum of 30 hops ..snip.. 1094 ms92 ms93 ms te7-3.ccr01.lon01.atlas.cogentco.com [66.28.4.190] 1196 ms94 ms94 ms te2-7.mpd04.ams03.atlas.cogentco.com [130.117.1.37] 12 101 ms 101 ms 100 ms te2-2.mpd03.ams03.atlas.cogentco.com [130.117.3.62] 1399 ms98 ms99 ms 149.6.129.22 1495 ms95 ms94 ms access.carrier.jointtransit.nl [213.207.0.245] 15 *** Request timed out. 1697 ms 101 ms96 ms 89.248.169.106 Trace complete. C:\tracert 89.248.169.109 Tracing route to 89.248.169.109 over a maximum of 30 hops ..snip.. 1014 ms14 ms14 ms te3-3.ccr02.jfk02.atlas.cogentco.com [154.54.5.245] 11 105 ms 108 ms 106 ms te9-1.mpd03.jfk02.atlas.cogentco.com [154.54.25.141] 12 104 ms 103 ms 105 ms te3-8.mpd01.ymq02.atlas.cogentco.com [154.54.5.118] 1399 ms99 ms 101 ms te8-2.ccr01.ams03.atlas.cogentco.com [154.54.0.69] 14 101 ms 114 ms 111 ms vl3493.mpd03.ams03.atlas.cogentco.com [130.117.0.242] 15 104 ms 104 ms 104 ms 149.6.129.22 16 100 ms99 ms 101 ms access.carrier.jointtransit.nl [213.207.0.245] 17 *** Request timed out. 18 102 ms 101 ms 102 ms 89.248.169.109 Trace complete. Seems rather strange that traceroute didn't work and now it does. Lee
Re: Re: Re: My tor exit node is STILL gone from the node list
Hi Alexandru, On 7/20/09, Alexandru Cezar t...@ze.ro wrote: Hi Lee, Have you talked to your provider about reachability? Earlier I couldn't do a traceroute to your machine now I can: I haven't spoken to them, no. What I did was reconfigure the firewall to allow ICMP. Could it be momentarily routing problems that cause this? Yes, it would be routing problems. But it would be your provider that's having the routing problems; it's not because of anything you did/didn't do. Are you working now? http://moria.seul.org:9032/tor/status/authority says r kyirong2 0+sxMpmgCCpKThDg63WOTwFj9PA SdJCPHovwFEvv/p417iYV1Fdpgw 2009-07-20 23:20:39 89.248.169.109 8080 80 s Exit Fast Running V2Dir Valid opt v Tor 0.2.1.17-rc Regards, Lee
Re: Yahoo Mail and Tor
On 7/9/09, Andrew Lewman and...@torproject.org wrote: On 07/09/2009 11:25 AM, Scott Bennett wrote: enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 allow-cgi-request-crunching 0 I'm trying to find the email thread, but until then, even with these set, it was demonstrated someone can manipulate your privoxy config by making your tor client pass strings from localhost. Please post the link when you do find that thread. The only things I could find were related to an insecure configuration of Privoxy - eg. http://archives.seul.org/or/talk/Oct-2007/msg00295.html http://osvdb.org/show/osvdb/48694 http://osvdb.org/show/osvdb/25875 Thanks, Lee
Re: Bush's DHS program continues under Obama
Take another look at the article referenced: ... the new program will scrutinize only data going to or from government systems. I can understand privacy concerns, but Joe Stalin, eat your heart out.??? get real. from http://www.whitehouse.gov/omb/legislative_testimony_evans_021408_safeguard/ Through the Trusted Internet Connections (TIC) initiative, we are working with agencies to reduce the overall number of external Federal connections, in order to manage our risk and secure our connections in a more cost-effective and efficient manner to provide better awareness of our environment. Agencies turned in plans of action and milestones to fully optimize agency connections, with a target completion date of June 2008. As agencies optimize their external connections, security controls to monitor threats must be deployed and correlated to create a government-wide perspective of shared risks to our networks. The Department of Homeland Security (DHS) supports an application named Einstein to collect, analyze, and share aggregated computer security information across the Federal government. Einstein will assist agencies to raise their awareness and DHS for government-wide awareness for information security threats and vulnerabilities. This awareness will enable agencies and DHS to take corrective action in a timely manner. We are currently working with DHS to build upon their existing deployments and extend Einstein to all of the Federal agencies. Lee On 7/4/09, Scott Bennett benn...@cs.niu.edu wrote: After the demise of the constitutional republic, the North American Surveillance State continues to grow ever nastier, complete with an unconscionable slur on the good name of Albert Einstein. See the article at http://www.washingtonpost.com/wp-dyn/content/article/2009/07/02/AR2009070202771_pf.html The need for tools like tor and PGP/GPG ought to become more and more apparent to Americans as time goes on. Meet the new boss: same as the old boss. Joe Stalin, eat your heart out. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: TBBundle, Browser javascript
Hello again, I've just been catching up the further replies on this. Maybe the developer(s) of the bundle and/or torbutton might wander along and see this thread, and confirm whether or not javascript needs to stay on in the browser. I originally asked this because, when testing my connection, a little more personal info is revealed with the browser's javascript turned on than when off, such as the local time zone. I do appreciate however that the config of the torbutton is set to enforce privacy and kill/block most (all?) nosy javascript. If I/we don't find the definitive answer, I suppose it is best to trust the default settings in the bundle rather than potentially break something by turning off javascript. It would however be very nice to know for sure wouldn't it, seeing as leaving javascript enabled in the browser seems to contradict one of the commonly held 'rules' of 'safe surfing'. Lee UK
TBBundle, Browser javascript
Hello anyone who knows about such things; I'm trying out the Tor Browser Bundle, and I see Javascript is enabled in the browser. Can I turn this off or is that option required left on for certain functionality in the bundle? Thanks a lot, Lee UK
Re: TBBundle, Browser javascript
krishna e bera wrote: On Tue, Mar 24, 2009 at 09:57:49PM +, Lee wrote: I'm trying out the Tor Browser Bundle, and I see Javascript is enabled in the browser. Can I turn this off or is that option required left on for certain functionality in the bundle? Torbutton, when enabled, protects you from many different types of threats to anonymity and security, even when javascript is turned on. See https://torbutton.torproject.org/ for more information on what exactly it does and does not do. However, javascript is not required for either Torbutton or Tor Browser Bundle functionality, so you can turn javascript off for additional security. Thanks, Krishna. I'd read up a little on the details, including how Torbutton mitigates 'all known' javascript threats. However it did sound (to me) as if the Torbutton 'used' javascript in some way, so I was unsure of whether the browser setting was critical. I assume you speak from an informed standpoint, so thanks for clarifying I can indeed turn the javascript off in the browser with no negative effects on the bundle's intended functionality. Lee
Re: Windows buffer problems
On 12/19/08, coderman coder...@gmail.com wrote: there are actually two issues (or more?) for non-server Windows running Tor. the usual problem Tor encounters is not related to the number of concurrent attempts but to kernel non-paged memory resources consumed to exhaustion when lots of active non-overlapped-I/O sockets are in use. details here: https://wiki.torproject.org/noreply/TheOnionRouter/WindowsBufferProblems This bit from the web page: Manipulating HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\GlobalMaxTcpWindowSize and TcpWindowSize to 0xfaf00 (1027840) seemed to increase the time to failure when running Tor and BitTorrent. seems backwards. Instead of buffering up to 16KB of data for each open connection you're telling the system to buffer up to 1MB of data for each open connection. How can increasing system buffer usage help if the problem is insufficient buffer space? So I'm wondering if the problem could be that the system runs out of available ports. XP defaults to using something like 4K ports and 240 seconds for keeping a closed socket in the timed wait state. Has anyone tried bumping the allowable port numbers up to 64K and dropped the timed wait state time to 16 seconds? Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] MaxUserPort=dword:fffe TcpTimedWaitDelay=dword:0010 StrictTimeWaitSeqCheck=dword:0001 Lee
Re: HTTPS Free Webmail alternatives to Gmail [split from:] Re: Fastmail.fm better E-mail for Tor users than Gmail? HTTPS!
On Feb 4, 2008 11:17 AM, Thomas Barvo [EMAIL PROTECTED] wrote: Back on-topic Everyone, please list the free SSL webmail services you use instead of Gmail, thank you! OK. What about HushMail?
Re: Fastmail.fm better E-mail for Tor users than Gmail? HTTPS!
On Feb 2, 2008 11:55 AM, Thomas Barvo [EMAIL PROTECTED] wrote: On 2/2/08, Anil Gulecha [EMAIL PROTECTED] wrote: Logging into gmail with https://mail.google.com keeps you in https at all times. So there. This is not always true when using Tor with Gmail, even when you initiate the session with https://mail.google.com ! I and several others have posted on the web regarding this, especially when exit nodes change and the session during logout is often forced in another language to http from https during logout, what happens to the cookies then? What of broken connections during use which crop up from time to time? These and other strange events make me and others question using Gmail with a web browser in Tor. There's a plugin to firefox that do just that, ensures that the connection is always https. It's name is CustomizeGoogle. This and much more. -- Ricardo.
Re: reporter from The Economist in Thailand seeks help / new Tor guide is up
On 10/31/06, George Shaffer [EMAIL PROTECTED] wrote: On Mon, 2006-10-30 at 21:46, Tim McCormack wrote: Chris Willis wrote: NO browser (cept maybe a text browser in BSD or something) is really 100% safe on its own.Firefox has lots of vulnerabilities, just like IE. . . . I agree about the text browser -- I should really familiarize myself with Lynx.Continuing now OT thread:Lynx has its uses, but anyone used to modern browsers is likely to find it frustrating. Lynx is not just text only in that it does not displaygraphics but is text based and runs in a text window (terminal). It doesnot recognize tables, and most modern web pages are built in tables, allowing the standard page and navigation elements, to be arranged aboveor to the left of the main page content. This means as you read thesource, these come before the main text content. That is how Lynxdisplays the page (as it is sequentially arranged in the source file) ; the main page content is usually between a screenful or more of standarditems and links and more of this at the bottom. A page as simple asGoogle's home page takes 13 tabs or down arrows to reach the search field. Yahoo, on the other hand recognizes it has received a requestfrom a text browser, and sends a different page where the search fieldis the first item on the page after Yahoo. Lynx takes some getting used to.Lynx is not simple. It's default configuration file is 140K, but mostlyexplanatory comments. It has about 135 options. I don't know that youcan assume it's 100% safe. If you eliminate all active content from your current browser, or install an alternate browser (e.g., Netscape, Opera)and disable all active content, and severely control cookies, wouldn'tthat do what Lynx is intended to do while still seeing most web pages, more or less as intended?George ShafferContinuing the OT: and what about links?? it has graphical support, such as frames, pics...Ricardo Lee
Re: ACLs null on NT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Read 19 Deadly Sins of Software Security, chapter 12 is on this auth issue. It is written for a Unix person, to understand also having to address NT ACLs. Get the Platform SDK (now called the Windows SDK). Grep through the samples for SECURITY_DECRIPTOR, among other things. There are a few simple samples that setup an ACL for a handle. Read Secure Programming Cookbook, chapter 2 (access control), 2 patterns, 1 for Unix, 1 for NT. Again, this is just untested observation. I am _not_ sitting here in a debugger on an NT box, reading all of your Tor data :-) Please put strong Windows skills on the RFP for the students! Lee Hi, Lee! This looks like good research. There's one big problem, though: our windows skills are weak. We'll either need a patch for this stuff, or more specific instructions about what exactly to do, or this could take a very long time to fix. -BEGIN PGP SIGNATURE- iEYEARECAAYFAkTZJkAACgkQw3D+nSm51yhzpwCgtBB+NuGd5JRBGiBjz7JJv9EI 0o4AnjtPf7Dw0lzPGz7UoI1IJwtZPjET =zmc/ -END PGP SIGNATURE-
ACLs null on NT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm new here, I'm reviewing the code and spec, trying to find out more about bug 98 (WindowsBufferProblems wiki page). Here is an unrelated observation, constructive feedback about how to improve security for Tor on NT a little. I notice that NULL ACLs are being used. Libevent's win32-code/misc.c's socketpair() calls CreateNamedPipe() and CreateFile(), both of which have their last parameter, lpSecurityAttributes, set to NULL. With no ACL, the process gets the default ACL. I believe this means that multiple user groups gets write access, and Everyone gets read access when NULL is specified as the ACL (forcing the default ACL with appropriate ACEs). Also socketpair() it calls SetNamedPipeHandleState() but doesn't check the return code, not ACL-related but it should be fixed. Tor's or/main.c's tor_init() checks if it is being run as root/admin, but only for non-NT codepath, no control flow change, just fyi spew. The code should be fixed to explicitly set ACLs, the SDK has samples that show this. Or at least the spec should be updated to reduce NT security expectations to be theoretical like BSD. Giving the NT Tor service a separate user account to help isolate things would be better. Sorry, no patches. Back to bug 98... Thanks, Lee Tor control-spec excerpt: - -snip- Write a named socket in tor's data-directory or in some other location; rely on the OS to ensure that only authorized users can open it. (NOTE: the Linux unix(7) man page suggests that some BSDs don't enforce authorization.) If the OS has named sockets, and implements authentication, trust all users who can read Tor's data directory. - -snip- CreateNamedPipe excerpt: - -snip- If lpSecurityAttributes is NULL, the named pipe gets a default security descriptor and the handle cannot be inherited. The ACLs in the default security descriptor for a named pipe grant full control to the LocalSystem account, administrators, and the creator owner. They also grant read access to members of the Everyone group and the anonymous account. - -snip- CreateNamedPipe excerpt: - -snip- To create an instance of a named pipe by using CreateNamedPipe, the user must have FILE_CREATE_PIPE_INSTANCE access to the named pipe object. If a new named pipe is being created, the access control list (ACL) from the security attributes parameter defines the discretionary access control for the named pipe. - -snip- CreateFile excerpt: - -snip- For backward compatibility purposes, CreateFile does not apply Windows 2000 inheritance rules when you specify a security descriptor in lpSecurityAttributes. To support inheritance on Windows 2000 and later, APIs that later query the security descriptor of this object may heuristically determine and report that inheritance is in effect. See Automatic Propagation of Inheritable ACEs for more information about inheritance rules in Windows 2000 and later operating systems, and how they differ from previous versions of Windows. - -snip- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/createfile.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/base/createnamedpipe.asp -BEGIN PGP SIGNATURE- iEYEARECAAYFAkTXrvgACgkQw3D+nSm51yjGNQCgsyhxHDfVWCIqr+2pPfy1TIem ZSgAn0URn6zIUxAI+SHzZXJb+Ha35qns =dbkq -END PGP SIGNATURE-
