diff options
author | Roger Dingledine <arma@torproject.org> | 2008-01-21 16:57:12 +0000 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2008-01-21 16:57:12 +0000 |
commit | 10ed49643e264b375df282269393666c87d30bdb (patch) | |
tree | 37c9cbda542678e19c97ef96d257c0ed36971f39 /doc | |
parent | a4a802d31fd4f26811245ad3b0e45bc080bd96e0 (diff) | |
download | tor-10ed49643e264b375df282269393666c87d30bdb.tar.gz tor-10ed49643e264b375df282269393666c87d30bdb.zip |
proposal from Kevin Bauer & Damon McCoy to reject vulnerable-plaintext
ports (reformatted by me)
svn:r13210
Diffstat (limited to 'doc')
-rw-r--r-- | doc/spec/proposals/129-reject-plaintext-ports | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/doc/spec/proposals/129-reject-plaintext-ports b/doc/spec/proposals/129-reject-plaintext-ports new file mode 100644 index 0000000000..d92b3a9331 --- /dev/null +++ b/doc/spec/proposals/129-reject-plaintext-ports @@ -0,0 +1,90 @@ +Below is a proposal to mitigate insecure protocol use over Tor. + +Title: Block Insecure Protocols by Default +Author: Kevin Bauer & Damon McCoy +Date: January 15, 2008 + +Overview: + + This document 1) demonstrates the extent to which insecure protocols are + currently used within the Tor network, and 2) proposes a simple solution + to prevent users from unknowingly using these insecure protocols. By + insecure, we consider protocols that explicitly leak sensitive user names + and/or passwords, such as POP, IMAP, Telnet, and FTP. + +Motivation: + + As part of a general study of Tor use in 2006/2007 [1], we attempted to + understand what types of protocols are used over Tor. While we observed a + enormous volume of Web and Peer-to-peer traffic, we were surprised by the + number of insecure protocols that were used over Tor. For example, over an + 8 day observation period, we observed the following number of connections + over insecure protocols: + + POP and IMAP:10,326 connections + Telnet: 8,401 connections + FTP: 3,788 connections + + Each of the above listed protocols exchange user name and password + information in plain-text. As an upper bound, we could have observed + 22,515 user names and passwords. This observation echos the reports of + a Tor router logging and posting e-mail passwords in August 2007 [2]. The + response from the Tor community has been to further educate users + about the dangers of using insecure protocols over Tor. However, we + recently repeated our Tor usage study from last year and noticed that the + trend in insecure protocol use has not declined. Therefore, we propose that + additional steps be taken to protect naive Tor users from inadvertently + exposing their identities (and even passwords) over Tor. + +Security Implications: + + None. This proposal is intended to improve Tor's security by limiting the + use of insecure protocols. + +Specification: + + As an initial step towards mitigating the use of the above-mentioned + insecure protocols, we propose that the default ports for each respective + insecure service be blocked at the Tor client's socks proxy. These default + ports include: + + 23 - Telnet + 109 - POP2 + 110 - POP3 + 143 - IMAP + + Notice that FTP is not included in the proposed list of ports to block. This + is because FTP is often used anonymously, i.e., without any identifying + user name or password. + + This blocking scheme can be implemented as a set of flags in the client's + torrc configuration file: + + BlockInsecureProtocols 0|1 + WarnInsecureProtocols 0|1 + + When the warning flag is activated, a message should be displayed to + the user similar to the message given when Tor's socks proxy is given an IP + address rather than resolving a host name. + + We recommend that the default torrc configuration file block insecure + protocols and provide a warning to the user to explain the behavior. + + Finally, there are many popular web pages that do not offer secure + login features, such as MySpace, and it would be prudent to provide + additional rules to Privoxy to attempt to protect users from unknowingly + submitting their login credentials in plain-text. + +Compatibility: + + None, as the proposed changes are to be implemented in the client. + +References: + + [1] Shining Light in Dark Places: A Study of Anonymous Network Usage. + University of Colorado Technical Report CU-CS-1032-07. August 2007. + + [2] Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise. + http://www.wired.com/politics/security/news/2007/09/embassy_hacks. + Wired. September 10, 2007. + |