Hi Manfred, I find it's a very interesting idea! Just never got to actually study your message. It's still marked unread in my inbox so I will be reminded to read it when time comes.
Not sure why no one else answered. Perhaps because it looks at first sight like a lot text and quite difficult. Cheers, adrelanos Manfred Ackermann: > Hi List. > > Sorry to push this up, just wondering if this approach is such stupid that > it's not even worth leaving a related comment to it ;-) Or is it just of no > interest? > > Any comments apriciated. > > Greetings, Manfred > Am 26.10.2013 01:09 schrieb "Manfred Ackermann" <[email protected] >> : > >> I've just finished successfully a Proof-of-Concept to implement >> anonymization at server level. I would be please if you guys can review >> this approach and extend it and/or show me the caveats ;-) >> >> The rough picture is assuming someone somehow injected bad code into a >> seized site to get hands on visitor infos collected out of HTTP >> Request/Response (visitor not capable of setting up privoxy the right way >> or even socksing directly into tor). >> >> To protect I've: >> - setup one HiddenService (aaaVisible.onion) that connects to intercepting >> privoxy (IPr) >> - setup 2nd HiddenService (bbbDblHidden.onion) only accepting from (IPr) >> - setup IPr to rewrite aaaVisible.onion to bbbDblHidden.onion removing bad >> stuff from Req./Resp. >> >> This makes the Service double Hidden, more difficult to hack into it, >> redirect-able and protects dump visitors against revealing information >> (fingerprints). >> >> Client <-> Tor <-> Tor:HS <-> Privoxy <-> Tor <-> Tor:HS <-> (STunnel <->) >> Service >> >> The STunnel is used to move the IPv4 Service away from the HiddenService >> declaration and optional but recommended. Also Service is only allowed to >> "speak" to STunnel and has no Internet access. >> >> To check-out this on a single server w/o STunnel do this (named >> onion-links ARE AN EXAMPLE ONLY): >> >> Get Tor and Privoxy up'n'running like a normal Tor-Entry-Point. >> >> Modify /etc/tor/torrc: >> >> HiddenServiceDir /var/lib/tor/onion_relay/ >> HiddenServicePort 80 127.0.0.1:8118 >> >> HiddenServiceDir /var/lib/tor/hidden_service/ >> HiddenServicePort 80 127.0.0.1:80 >> >> Do on the shell >> >> /etc/init.d/tor restart >> >> or in arm do x x to sighup tor. >> >> As AN EXAMPLE this gives >> >> mr2t4bnopbqy2ql7.onion => "Onion-Relay" >> cmt6wblsm36iuoqn.onion => "HiddenService" >> >> Prepare the Service (here Apache2): >> >> Create /etc/apache/sites-available/tor >> >> <VirtualHost *:80> >> ServerAdmin [email protected] >> ServerName cmt6wblsm36iuoqn.onion >> DocumentRoot /var/www/tor >> <Directory /> >> Options FollowSymLinks >> AllowOverride None >> </Directory> >> <Directory /var/www/tor> >> Options Indexes FollowSymLinks MultiViews >> AllowOverride None >> SetEnvIf X-Onion-Relay-Passphrase >> JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs ONION_RELAY_AUTH >> Order Deny,Allow >> Deny from All >> Allow from env=ONION_RELAY_AUTH >> </Directory> >> ErrorLog ${APACHE_LOG_DIR}/tor-error.log >> LogLevel warn >> CustomLog ${APACHE_LOG_DIR}/tor-access.log combined >> </VirtualHost> >> >> Do on the shell >> >> mkdir /var/www/tor >> echo '<html><body><h1>cmt6wblsm36iuoqn.onion</h1> \ >> <img src="http://cmt6wblsm36iuoqn.onion/x.jpg";></body></html>' \ >> > /var/www/tor/index.html >> cp some-nice-jpg-file.jpg /var/www/tor/x.jpg >> cd /etc/apache/sites-enabled >> ln -s ../sites-available/tor 001-tor >> /etc/init.d/apache2 restart >> >> Prepare Privoxy >> >> In /etc/privoxy/config: >> accept-intercepted-requests 1 >> >> In /etc/privoxy/user.action: >> { \ >> +hide-user-agent{Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 >> Firefox/17.0 (Tor Browser Bundle)} \ >> +hide-accept-language{en-us,en;q=0,5} \ >> } >> / >> >> { \ >> +server-header-filter{server-ident-rewrite} \ >> +client-header-filter{onion-request-rewrite} \ >> +filter{onion-response-rewrite} \ >> +add-header{X-Onion-Relay-Passphrase: JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs} \ >> } >> mr2t4bnopbqy2ql7.onion >> >> In /etc/privoxy/user.filter: >> SERVER-HEADER-FILTER: server-ident-rewrite Replace Server Ident String >> s@^(Server:)\s*.*$@$1 Http/1.1@i >> CLIENT-HEADER-FILTER: onion-request-rewrite Replace x.onion with y.onion >> s@^(Host:)\s*mr2t4bnopbqy2ql7.onion$@$1 cmt6wblsm36iuoqn.onion@i >> FILTER: onion-response-rewrite Replace y.onion with x.onion >> s/cmt6wblsm36iuoqn\.onion/mr2t4bnopbqy2ql7.onion/ig >> >> Do on the shell >> >> /etc/init.d/privoxy restart >> >> Try in the browser: >> >> HiddenService direct: cmt6wblsm36iuoqn.onion => 403 Forbidden >> HiddenService indirect by privory onion-rewrite: mr2t4bnopbqy2ql7.onion => >> the Result from cmt6wblsm36iuoqn.onion >> >> Have a look on the Response Headers (e.g. Firefox Plugin WebDeveloper => >> Information => Response Header) and you see Server: Apache/2.2.22 >> (Ubuntu) is replaced by Server: Http/1.1. Also do modify index-file in >> web-root to show Request-Vars like user-agent and accept-language ... here >> for example response content can be removed to prevent 3rd party JavaScript >> or Flash injection to the visitor. >> --- >> Regards, >> Manfred Ackermann >> PGP 0xED5E5F28 >> >> -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
![http://cmt6wblsm36iuoqn.onion/x.jpg"](http://cmt6wblsm36iuoqn.onion/x.jpg"){kind=link}