diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-02-21 16:09:23 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-02-21 16:09:23 -0500 |
commit | d673479ebaa29b2dc8f227c342785112c945ec18 (patch) | |
tree | 34407f050e03c1e0b91055b6e06cef227286bee4 /doc/spec/proposals/129-reject-plaintext-ports.txt | |
parent | 9b745cdbf9cd7384e44e18bf40a3d2c9becbc345 (diff) | |
parent | 7bdb7d4811bb5ff027e124e6558181167c2e2f91 (diff) | |
download | tor-d673479ebaa29b2dc8f227c342785112c945ec18.tar tor-d673479ebaa29b2dc8f227c342785112c945ec18.tar.gz |
Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
Conflicts:
doc/Makefile.am
doc/spec/Makefile.am
doc/spec/address-spec.txt
doc/spec/bridges-spec.txt
doc/spec/control-spec-v0.txt
doc/spec/control-spec.txt
doc/spec/dir-spec-v1.txt
doc/spec/dir-spec-v2.txt
doc/spec/dir-spec.txt
doc/spec/path-spec.txt
doc/spec/proposals/000-index.txt
doc/spec/proposals/001-process.txt
doc/spec/proposals/098-todo.txt
doc/spec/proposals/099-misc.txt
doc/spec/proposals/100-tor-spec-udp.txt
doc/spec/proposals/101-dir-voting.txt
doc/spec/proposals/102-drop-opt.txt
doc/spec/proposals/103-multilevel-keys.txt
doc/spec/proposals/104-short-descriptors.txt
doc/spec/proposals/105-handshake-revision.txt
doc/spec/proposals/106-less-tls-constraint.txt
doc/spec/proposals/107-uptime-sanity-checking.txt
doc/spec/proposals/108-mtbf-based-stability.txt
doc/spec/proposals/109-no-sharing-ips.txt
doc/spec/proposals/110-avoid-infinite-circuits.txt
doc/spec/proposals/111-local-traffic-priority.txt
doc/spec/proposals/112-bring-back-pathlencoinweight.txt
doc/spec/proposals/113-fast-authority-interface.txt
doc/spec/proposals/114-distributed-storage.txt
doc/spec/proposals/115-two-hop-paths.txt
doc/spec/proposals/116-two-hop-paths-from-guard.txt
doc/spec/proposals/117-ipv6-exits.txt
doc/spec/proposals/118-multiple-orports.txt
doc/spec/proposals/119-controlport-auth.txt
doc/spec/proposals/120-shutdown-descriptors.txt
doc/spec/proposals/121-hidden-service-authentication.txt
doc/spec/proposals/122-unnamed-flag.txt
doc/spec/proposals/123-autonaming.txt
doc/spec/proposals/124-tls-certificates.txt
doc/spec/proposals/125-bridges.txt
doc/spec/proposals/126-geoip-reporting.txt
doc/spec/proposals/127-dirport-mirrors-downloads.txt
doc/spec/proposals/128-bridge-families.txt
doc/spec/proposals/129-reject-plaintext-ports.txt
doc/spec/proposals/130-v2-conn-protocol.txt
doc/spec/proposals/131-verify-tor-usage.txt
doc/spec/proposals/132-browser-check-tor-service.txt
doc/spec/proposals/134-robust-voting.txt
doc/spec/proposals/135-private-tor-networks.txt
doc/spec/proposals/137-bootstrap-phases.txt
doc/spec/proposals/138-remove-down-routers-from-consensus.txt
doc/spec/proposals/140-consensus-diffs.txt
doc/spec/proposals/141-jit-sd-downloads.txt
doc/spec/proposals/142-combine-intro-and-rend-points.txt
doc/spec/proposals/143-distributed-storage-improvements.txt
doc/spec/proposals/145-newguard-flag.txt
doc/spec/proposals/146-long-term-stability.txt
doc/spec/proposals/147-prevoting-opinions.txt
doc/spec/proposals/148-uniform-client-end-reason.txt
doc/spec/proposals/149-using-netinfo-data.txt
doc/spec/proposals/150-exclude-exit-nodes.txt
doc/spec/proposals/151-path-selection-improvements.txt
doc/spec/proposals/152-single-hop-circuits.txt
doc/spec/proposals/153-automatic-software-update-protocol.txt
doc/spec/proposals/154-automatic-updates.txt
doc/spec/proposals/155-four-hidden-service-improvements.txt
doc/spec/proposals/156-tracking-blocked-ports.txt
doc/spec/proposals/157-specific-cert-download.txt
doc/spec/proposals/158-microdescriptors.txt
doc/spec/proposals/159-exit-scanning.txt
doc/spec/proposals/ideas/xxx-hide-platform.txt
doc/spec/proposals/ideas/xxx-port-knocking.txt
doc/spec/proposals/ideas/xxx-separate-streams-by-port.txt
doc/spec/proposals/ideas/xxx-what-uses-sha1.txt
doc/spec/proposals/reindex.py
doc/spec/rend-spec.txt
doc/spec/socks-extensions.txt
doc/spec/tor-spec.txt
doc/spec/version-spec.txt
Diffstat (limited to 'doc/spec/proposals/129-reject-plaintext-ports.txt')
-rw-r--r-- | doc/spec/proposals/129-reject-plaintext-ports.txt | 114 |
1 files changed, 0 insertions, 114 deletions
diff --git a/doc/spec/proposals/129-reject-plaintext-ports.txt b/doc/spec/proposals/129-reject-plaintext-ports.txt deleted file mode 100644 index 8080ff5b7..000000000 --- a/doc/spec/proposals/129-reject-plaintext-ports.txt +++ /dev/null @@ -1,114 +0,0 @@ -Filename: 129-reject-plaintext-ports.txt -Title: Block Insecure Protocols by Default -Author: Kevin Bauer & Damon McCoy -Created: 2008-01-15 -Status: Closed -Implemented-In: 0.2.0.x - -Overview: - - Below is a proposal to mitigate insecure protocol use over Tor. - - This document 1) demonstrates the extent to which insecure protocols are - currently used within the Tor network, and 2) proposes a simple solution - to prevent users from unknowingly using these insecure protocols. By - insecure, we consider protocols that explicitly leak sensitive user names - and/or passwords, such as POP, IMAP, Telnet, and FTP. - -Motivation: - - As part of a general study of Tor use in 2006/2007 [1], we attempted to - understand what types of protocols are used over Tor. While we observed a - enormous volume of Web and Peer-to-peer traffic, we were surprised by the - number of insecure protocols that were used over Tor. For example, over an - 8 day observation period, we observed the following number of connections - over insecure protocols: - - POP and IMAP:10,326 connections - Telnet: 8,401 connections - FTP: 3,788 connections - - Each of the above listed protocols exchange user name and password - information in plain-text. As an upper bound, we could have observed - 22,515 user names and passwords. This observation echos the reports of - a Tor router logging and posting e-mail passwords in August 2007 [2]. The - response from the Tor community has been to further educate users - about the dangers of using insecure protocols over Tor. However, we - recently repeated our Tor usage study from last year and noticed that the - trend in insecure protocol use has not declined. Therefore, we propose that - additional steps be taken to protect naive Tor users from inadvertently - exposing their identities (and even passwords) over Tor. - -Security Implications: - - This proposal is intended to improve Tor's security by limiting the - use of insecure protocols. - - Roger added: By adding these warnings for only some of the risky - behavior, users may do other risky behavior, not get a warning, and - believe that it is therefore safe. But overall, I think it's better - to warn for some of it than to warn for none of it. - -Specification: - - As an initial step towards mitigating the use of the above-mentioned - insecure protocols, we propose that the default ports for each respective - insecure service be blocked at the Tor client's socks proxy. These default - ports include: - - 23 - Telnet - 109 - POP2 - 110 - POP3 - 143 - IMAP - - Notice that FTP is not included in the proposed list of ports to block. This - is because FTP is often used anonymously, i.e., without any identifying - user name or password. - - This blocking scheme can be implemented as a set of flags in the client's - torrc configuration file: - - BlockInsecureProtocols 0|1 - WarnInsecureProtocols 0|1 - - When the warning flag is activated, a message should be displayed to - the user similar to the message given when Tor's socks proxy is given an IP - address rather than resolving a host name. - - We recommend that the default torrc configuration file block insecure - protocols and provide a warning to the user to explain the behavior. - - Finally, there are many popular web pages that do not offer secure - login features, such as MySpace, and it would be prudent to provide - additional rules to Privoxy to attempt to protect users from unknowingly - submitting their login credentials in plain-text. - -Compatibility: - - None, as the proposed changes are to be implemented in the client. - -References: - - [1] Shining Light in Dark Places: A Study of Anonymous Network Usage. - University of Colorado Technical Report CU-CS-1032-07. August 2007. - - [2] Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise. - http://www.wired.com/politics/security/news/2007/09/embassy_hacks. - Wired. September 10, 2007. - -Implementation: - - Roger added this feature in - http://archives.seul.org/or/cvs/Jan-2008/msg00182.html - He also added a status event for Vidalia to recognize attempts to use - vulnerable-plaintext ports, so it can help the user understand what's - going on and how to fix it. - -Next steps: - - a) Vidalia should learn to recognize this controller status event, - so we don't leave users out in the cold when we enable this feature. - - b) We should decide which ports to reject by default. The current - consensus is 23,109,110,143 -- the same set that we warn for now. - |