Re: all traffic through a VPN on top of tor, done!
* on the Fri, Nov 13, 2009 at 04:28:20PM +, John Case wrote: Second, it sounds like you want to protect against a local attacker from seeing your traffic. If so, go to proxy.org, find an https:// or vpn-based provider and enjoy your encrypted protection against your local ISP seeing your destination. If you actually want anonymity, then use Tor as is, for it's designed to provide anonymity online by default. Yes, but back to my thread hijack :) Let's say my protection model does indeed require Tor, but at the same time requires more speed. Forcing Tor to only use fast nodes probably doesn't work, since those fast nodes are probably inundated just like the slow ones are. This also suggests that organic growth in the Tor network is not going to solve much of the speed problem in the near term... existing users will certainly use more and more traffic. If you're only concerned with hiding where you're connecting to from your neighbour, you can modify the source code fairly easily to make two hop circuits instead of three hop circuits (*). You could then limit the ExitNodes to be fairly local (your own country), and then after a little trial and error, manually pick a group of EntryNodes which are also in your own country, and which perform well for you. High bandwidth University nodes for example. One thing you absolutely don't want to do is use a Hidden Service for your VPN as that doubles the number of hops in the circuit. (*) I can't remember how though. Google it. -- Erilenz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Erilenz wrote: One thing you absolutely don't want to do is use a Hidden Service for your VPN as that doubles the number of hops in the circuit. but it raises the coolness of the whole project to an exponential level ;-) - -- Marco Bonetti Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksCm7AACgkQTYvJ9gtgvF9XfACfZaAM1pBNNZs8dGKrXg6ugENS O7QAnRNahrEgUiSO302FpUR9KHeP0pbD =G+Yp -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
On Tue, Nov 17, 2009 at 06:43:58AM +, John Case wrote: On Fri, 13 Nov 2009, Paul Syverson wrote: But lets say one sets up X Tor nodes in X different locales and configure my Tor to use one of those X for my entry, and one of those X for my exit ... I'm still throttled by my middle hop, but the odds are much higher in my favor, and I may only need to rebuild my connection once or twice to get an acceptable speed. Ignoring what the underlying network can observe, the value to having three hops is that the first and last ones don't know about each other directly (so immediately know who to attack to completely deanonymize a connection; they instead need to iterate such an attack). But if you enter and leave the network via nodes you control, the only thing you are getting from adding a public hop in the middle is a greater chance of an adversary observing you. The problem with your design is that if anyone discovers the nodes are under your control, then things emerging from/entering them will be suspected of being associated with you. (It was similar considerations that led us to recommend even in the onion routing designs that predated Tor that the network not just be run by/for the DoD.) Worse still, if you add just a middle hop that is not yours, you make things worse, not better. Any time it is you going to a destination observed by your adversary and via a middle hop owned by the adversary, he will be right in guessing the connection is more likely to be yours than are arbitrary connections through the network. He will get this without needing to see your entry connection into the network. Ok, that is perfectly sensible. My immediate thought, however, is if all X of my nodes are in different locales (US, Canada, CH, DE, NZ, whatever) wouldn't this correlation be awfully difficult, especially if service is not directly under my name (company front, straw man purchase, fake signup name, etc. ?) It's just a thought - I realize your problem is the real-world assurances that people need when they are really under survelliance, and not some rich white guys IT hobby. The more careful analysis still to be done will hopefully say something more about how difficult such correlation is and whether things like locale make a difference. (For a related but distinct example, see my recent paper with Matt Edman AS-awareness in Tor Path Selection, available at www.cs.rpi.edu/~edmanm2/ccs159-edman.pdf ) But two related immediate concerns: Irrespective of network analysis and usage finding relations among/with these relays, this all depends on your ability to keep hidden exogenous information about those nodes being related. (I'm talking about the sorts of management things you just mentioned.) How hard that is probably depends both on how careful you are (and how you are careful) and who you are trying to hide from. Relatedly, you may face issues of what makes a good torizen since you will not have disclosed your ability (or the ability of those who can coerce/corrupt you) to de-anonymize by yourself their circuits that start and end with your relays. -Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
On Tue, 2009-11-17 at 13:48 +0100, Marco Bonetti wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Erilenz wrote: One thing you absolutely don't want to do is use a Hidden Service for your VPN as that doubles the number of hops in the circuit. but it raises the coolness of the whole project to an exponential level ;-) It only raises the coolness by a linear level. Coolness increases in linear relation to number of nodes in the circuit. To get exponential levels of coolness, you'd need to multiplex over different circuits somehow. signature.asc Description: This is a digitally signed message part
Re: all traffic through a VPN on top of tor, done!
On Fri, 13 Nov 2009, Paul Syverson wrote: But lets say one sets up X Tor nodes in X different locales and configure my Tor to use one of those X for my entry, and one of those X for my exit ... I'm still throttled by my middle hop, but the odds are much higher in my favor, and I may only need to rebuild my connection once or twice to get an acceptable speed. Ignoring what the underlying network can observe, the value to having three hops is that the first and last ones don't know about each other directly (so immediately know who to attack to completely deanonymize a connection; they instead need to iterate such an attack). But if you enter and leave the network via nodes you control, the only thing you are getting from adding a public hop in the middle is a greater chance of an adversary observing you. The problem with your design is that if anyone discovers the nodes are under your control, then things emerging from/entering them will be suspected of being associated with you. (It was similar considerations that led us to recommend even in the onion routing designs that predated Tor that the network not just be run by/for the DoD.) Worse still, if you add just a middle hop that is not yours, you make things worse, not better. Any time it is you going to a destination observed by your adversary and via a middle hop owned by the adversary, he will be right in guessing the connection is more likely to be yours than are arbitrary connections through the network. He will get this without needing to see your entry connection into the network. Ok, that is perfectly sensible. My immediate thought, however, is if all X of my nodes are in different locales (US, Canada, CH, DE, NZ, whatever) wouldn't this correlation be awfully difficult, especially if service is not directly under my name (company front, straw man purchase, fake signup name, etc. ?) It's just a thought - I realize your problem is the real-world assurances that people need when they are really under survelliance, and not some rich white guys IT hobby. The question is, what values of X are required in order for correlation, etc., to not be laughable ? (the assumption here is that I put my X Tor nodes on the actual Tor network, but reserve some percentage of their bandwidth exclusively for my own use ... so they look and act like actual Tor nodes ...) These are tricky questions, and we are doing ongoing research about it now. An initial result we have is not quite to answer this question but instead to look at how you should do routing to avoid compromised entry and exit nodes if you trust some nodes more than others and where the difference in trust and percentage of trusted and untrusted nodes are input parameters. Published in the IEEE Computer Security Foundations Symposium, cf. www.cs.yale.edu/~amj37/publications/trusted_sets-csf09.pdf I think I will have a better, but not complete answer, to questions closer to yours within several months. But it will involve some complicated analysis. For now, I suggest you follow Andrew's advice---or just take your risk if speed matters more than security for you. But know then that you are entering uncharted and especially ill-understood waters and that any guesses you might have for X (or even that this is the right question) are likely to be wrong, and you really will have no idea what kind of protection you are getting. Thanks very much for a very helpful reply - I appreciate it. It will be interesting if you conclude that X is larger than (the current size of the public Tor network) :) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
Il giorno ven, 13/11/2009 alle 16.28 +, John Case ha scritto: On Fri, 13 Nov 2009, Andrew Lewman wrote: Second, it sounds like you want to protect against a local attacker from seeing your traffic. If so, go to proxy.org, find an https:// or vpn-based provider and enjoy your encrypted protection against your local ISP seeing your destination. You have a point, that is something I could do probably, but so far all ssl proxy I have seen, are actually websites with a form. I need to use the proxy from the command line and pipe a ssh connection through it. If you actually want anonymity, then use Tor as is, for it's designed to provide anonymity online by default. That is why am glad my script has tor support now. Anonymity is there. It's just really slow. :-) I added tortunnel support as well, which is probably slower than those websites but serves the purpose. I am pretty happy with the result. I'll be posting a link as soon as I have it online, if someone needs it. It's just a nice script for a vpn on top of ssh, even if you don't need tor. Yes, but back to my thread hijack :) Let's say my protection model does indeed require Tor, but at the same time requires more speed. Forcing Tor to only use fast nodes probably doesn't work, since those fast nodes are probably inundated just like the slow ones are. This also suggests that organic growth in the Tor network is not going to solve much of the speed problem in the near term... existing users will certainly use more and more traffic. But lets say one sets up X Tor nodes in X different locales and configure my Tor to use one of those X for my entry, and one of those X for my exit ... I'm still throttled by my middle hop, but the odds are much higher in my favor, and I may only need to rebuild my connection once or twice to get an acceptable speed. The question is, what values of X are required in order for correlation, etc., to not be laughable ? (the assumption here is that I put my X Tor nodes on the actual Tor network, but reserve some percentage of their bandwidth exclusively for my own use ... so they look and act like actual Tor nodes ...) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
On 11/13/2009 02:39 AM, Andrea Ratto wrote: I would just like to shorten the circuit, but it seems there is no option for doing that. I hope they change their mind and put one, maybe limited to 3 hops, so that it can't be used to over saturate the network. First off, read this, https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#VariablePathLength Second, it sounds like you want to protect against a local attacker from seeing your traffic. If so, go to proxy.org, find an https:// or vpn-based provider and enjoy your encrypted protection against your local ISP seeing your destination. If you actually want anonymity, then use Tor as is, for it's designed to provide anonymity online by default. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
On Fri, 13 Nov 2009, Andrew Lewman wrote: Second, it sounds like you want to protect against a local attacker from seeing your traffic. If so, go to proxy.org, find an https:// or vpn-based provider and enjoy your encrypted protection against your local ISP seeing your destination. If you actually want anonymity, then use Tor as is, for it's designed to provide anonymity online by default. Yes, but back to my thread hijack :) Let's say my protection model does indeed require Tor, but at the same time requires more speed. Forcing Tor to only use fast nodes probably doesn't work, since those fast nodes are probably inundated just like the slow ones are. This also suggests that organic growth in the Tor network is not going to solve much of the speed problem in the near term... existing users will certainly use more and more traffic. But lets say one sets up X Tor nodes in X different locales and configure my Tor to use one of those X for my entry, and one of those X for my exit ... I'm still throttled by my middle hop, but the odds are much higher in my favor, and I may only need to rebuild my connection once or twice to get an acceptable speed. The question is, what values of X are required in order for correlation, etc., to not be laughable ? (the assumption here is that I put my X Tor nodes on the actual Tor network, but reserve some percentage of their bandwidth exclusively for my own use ... so they look and act like actual Tor nodes ...) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
On Fri, Nov 13, 2009 at 04:28:20PM +, John Case wrote: On Fri, 13 Nov 2009, Andrew Lewman wrote: Second, it sounds like you want to protect against a local attacker from seeing your traffic. If so, go to proxy.org, find an https:// or vpn-based provider and enjoy your encrypted protection against your local ISP seeing your destination. If you actually want anonymity, then use Tor as is, for it's designed to provide anonymity online by default. Yes, but back to my thread hijack :) Let's say my protection model does indeed require Tor, but at the same time requires more speed. Forcing Tor to only use fast nodes probably doesn't work, since those fast nodes are probably inundated just like the slow ones are. This also suggests that organic growth in the Tor network is not going to solve much of the speed problem in the near term... existing users will certainly use more and more traffic. But lets say one sets up X Tor nodes in X different locales and configure my Tor to use one of those X for my entry, and one of those X for my exit ... I'm still throttled by my middle hop, but the odds are much higher in my favor, and I may only need to rebuild my connection once or twice to get an acceptable speed. Ignoring what the underlying network can observe, the value to having three hops is that the first and last ones don't know about each other directly (so immediately know who to attack to completely deanonymize a connection; they instead need to iterate such an attack). But if you enter and leave the network via nodes you control, the only thing you are getting from adding a public hop in the middle is a greater chance of an adversary observing you. The problem with your design is that if anyone discovers the nodes are under your control, then things emerging from/entering them will be suspected of being associated with you. (It was similar considerations that led us to recommend even in the onion routing designs that predated Tor that the network not just be run by/for the DoD.) Worse still, if you add just a middle hop that is not yours, you make things worse, not better. Any time it is you going to a destination observed by your adversary and via a middle hop owned by the adversary, he will be right in guessing the connection is more likely to be yours than are arbitrary connections through the network. He will get this without needing to see your entry connection into the network. The question is, what values of X are required in order for correlation, etc., to not be laughable ? (the assumption here is that I put my X Tor nodes on the actual Tor network, but reserve some percentage of their bandwidth exclusively for my own use ... so they look and act like actual Tor nodes ...) These are tricky questions, and we are doing ongoing research about it now. An initial result we have is not quite to answer this question but instead to look at how you should do routing to avoid compromised entry and exit nodes if you trust some nodes more than others and where the difference in trust and percentage of trusted and untrusted nodes are input parameters. Published in the IEEE Computer Security Foundations Symposium, cf. www.cs.yale.edu/~amj37/publications/trusted_sets-csf09.pdf I think I will have a better, but not complete answer, to questions closer to yours within several months. But it will involve some complicated analysis. For now, I suggest you follow Andrew's advice---or just take your risk if speed matters more than security for you. But know then that you are entering uncharted and especially ill-understood waters and that any guesses you might have for X (or even that this is the right question) are likely to be wrong, and you really will have no idea what kind of protection you are getting. HTH, Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
Thanks for the help. I actually have a VPN running on top of tor now! The script I use is shaping up nicely and I can share it here, if there is interest. It also supports direct connections and http proxy instead of tor. I use it for all my VPN needs. The use case for tor under the vpn is when you are on a hostile LAN (your neighbor wireless :-D ) The lan administrator can't see where you are connecting to or what you are doing there, while the exit node just knows it's ssh. I use it to create a VPN with my home server so that I can use the internet as if I was at my house. The only problem I am facing is the lack of speed. Can something be done about it? I was thinking to reduce the circuit lenght, but it seems there is no option for that. Any suggestion is welcome. PS: I don't know yet if it will work for hours... Il giorno sab, 07/11/2009 alle 15.08 +, jackwssp q ha scritto: 2009/10/30 Andrea Ratto andrearatto_li...@yahoo.it Hello list! To run a VPN on top of tor one must be able to separate tor traffic from the rest and route tor connections to the physical network, and everything else to the vpn virtual inteface. That is theoretically possible by doing something like this: 1- bootstrap tor and have it connect to some relays 2- get the ip addresses of those relays 3- instruct tor not to connect to anyone else 4- add routing for those addresses and start the VPN I can do point 1 and 4, but I am not sure if point 2 and 3 are practically possible with tor. This is where I ask for help. If I put it all together I will be happy to share my script for a VPN on top of SSH on top of tor, for an exotic blend of anonimity, confidentiality and authentication. For any clarifications, please ask. Bye *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ Hello! To make 2 and 3 points: Choose relay_name here: http://trunk.torstatus.kgprog.com/index.php And put to torrc config file: StrictEntryNodes 1 EntryNodes relay_name RTFM: https://www.torproject.org/tor-manual.html -- with best re *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
On Thu, 12 Nov 2009, Andrea Ratto wrote: The only problem I am facing is the lack of speed. Can something be done about it? I was thinking to reduce the circuit lenght, but it seems there is no option for that. Any suggestion is welcome. Can one use a node listing like this: http://torstatus.kgprog.com/index.php?SR=BandwidthSO=Desc and then alter ones config to only connect, and build circuits with, nodes with greater than X bandwidth ? Looks like there is 50+ nodes with greater than 1 MBps bandwidth ... I suppose it's reasonable to assume that malevolent/compromised/government nodes will be higher in the bandwidth chart ? So perhaps the top 50 nodes represents far less anonymity than a randomly chosen 50 nodes ? Hard to say. Another option would be to build your own co-located network of 10 (or so ?) nodes, and use them as a pool to build at least two out of three hops with ? That way you're getting high speed, but you trust the overall circuit because you know that at least 2/3 of your circuit is not malevolant. I asked this question a month or so ago and did not see any answers - if one _did_ build a small (10 or so nodes) network of tor relays and used them as 1/3 or 2/3 of all circuits built ... perhaps allowing 80% of their bandwidth to be used by Tor proper, and (secretly) saving 20% for themselves ... is that a medium, low, or laughable amount of anonymity ? If it's laughable, what's a good number ? 20 ? 100 ? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: all traffic through a VPN on top of tor, done!
I don't really know. I think that you really don't want to be your own anonymizer, unless you control computer all over the world. It seems you are just trying to shorten the circuit. For this kind of use (VPN) you are connecting to a server you implicitly trust, since you control it. You don't really need strong anonymity, one single encrypted hop would be enough. Any malicious node has only one way of attacking you: be the man in the middle and try to get your ssh key. But ssh comes with protections against it and, with a simple precaution, even a malicious node it's ok, if it routes your traffic. I already picked up a near and fast entry node but it did not really help. I would just like to shorten the circuit, but it seems there is no option for doing that. I hope they change their mind and put one, maybe limited to 3 hops, so that it can't be used to over saturate the network. Il giorno ven, 13/11/2009 alle 01.17 +, John Case ha scritto: and use them as a pool to build at least two out of three hops with ? That way you're getting high speed, but you trust the overall circuit because you know that at least 2/3 of your circuit is not malevolant. I asked this question a month or so ago and did not see any answers - if one _did_ build a small (10 or so nodes) network of tor relays and used them as 1/3 or 2 *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
