Tor and network security/administration

Lionel Elie Mamane lionel at mamane.lu
Mon Jun 19 06:05:35 UTC 2006


On Sat, Jun 17, 2006 at 08:49:43AM -0500, Kevin Day wrote:
> On Jun 17, 2006, at 8:29 AM, Jeremy Chadwick wrote:

>> Being as I'm not a network administrator myself (although I do
>> filter some stuff using pf and ipfw on my severs), I'm curious what
>> NAs think of the following technology:

> We've had considerable problems with Tor.

> Idiots who like to use stolen credit cards to buy things online find
> Tor a nice haven of deniability and covering their tracks.

> Our IRC servers, and discussion sites also have had to ban all Tor
> IPs that we've seen because of troublemakers using them to evade
> bans.

> I don't find the anonymity a bad thing, but I would be a whole lot
> happier if the default configuration for people running Tor servers
> included an option to add HTTP headers saying that it's going
> through Tor, so we could decide if we wanted to conduct financial
> transactions with them or not.

You don't do your financial transactions over HTTPS? If you do, by the
very design of SSL, the tor exit node cannot add any HTTP header. That
would be a man-in-the-middle attack on SSL. (Unless you count that
users will click "accept" on any "this could be a forged certificate"
warning.)

More generally, tor is not an HTTP proxy, but a TCP proxy. Which
doesn't mean it cannot (as in "there is a Turing machine that does
it") also go up from layer 4/5 to layer 7 for certain specific
application protocols; it would only be harder, ask for more
resources from the node, ...

-- 
Lionel



More information about the NANOG mailing list