Security
A Look at The Onion Router (Tor)
Last week we promised a look at Tor, a system for anonymous Internet communication, primarily developed by Nick Mathewson and Roger Dingledine. Current development is supported by the Electronic Frontier Foundation (EFF), but Tor was originally developed as part of the U.S. Naval Research Laboratory's Onion Routing program.
As the Tor web page explains, Tor is a "toolset for a wide range of
organizations and people that want to improve their safety and security on
the Internet
". What does that mean? In a nutshell, Tor is a
client/server application that anonymizes traffic by routing it from the
client through a series of nodes to hide the origin of a request. It can
also be used to protect services against denial of service attacks and the like by hiding
their origin.
Tor routes traffic through nodes that "know" about the previous node and the next node -- but not the rest of the network. By routing traffic through a series of "onion routers" Tor makes it difficult for the receiver, observers and even other Tor routers to detect the source of traffic. A more complete description of Tor's design can be found in the design paper; a protocol specification is also available for those who wish to build compatible software.
Tor works as both a server and as a client. By default, Tor runs as a client only, but it can be configured to allow other users to connect to your system as a Tor node. In addition, Tor can be used to run "hidden" services that do not reveal your IP address to others at all. The "hidden wiki" maintains a list of hidden services that users can see as an example. Finally, it's possible to set up one's own Tor network that does not interact with the public Tor network, for those who want to test the protocol but may lack access to the Internet.
To achieve best results, one may need to use Tor in conjunction with other applications. For example, users who wish to browse anonymously would use Tor in conjunction with Privoxy. Other applications may require use of tsocks or ProxyChains.
To see what Tor had to offer, we installed it on a Ubuntu Hoary machine, along with Privoxy, tsocks and ProxyChains. Configuring services to work with Tor is not terribly difficult, and there is a relatively detailed HOWTO for users who wish to configure specific applications like Gaim, X-Chat, SSH or BitTorrent with Tor.
It should be noted that using Tor can have an impact on performance for client applications. Using Tor and Privoxy together for browsing, for example, introduced a notable lag. Firefox users may be interested in using the SwitchProxy Tool extension to switch Proxy use on and off, reserving Tor for specific sites rather than for all web browsing. Users should also be prepared for some odd behavior on some sites -- for example, we kept being redirected to country-specific versions of Google, rather than Google's main site, when using Tor and Privoxy. Tor itself didn't seem to have much of an impact on system performance overall.
Tor is not completely foolproof. It could be possible for someone who's running a Tor server to modify Tor or use other software to monitor traffic going through the server. Traffic coming out of the "exit node" (the last hop in the Tor "circuit") is not encrypted, so a malicious user could set up a Tor server and browse traffic coming out of their machine. (It is possible to specify your exit node in the Tor configuration.) There are also potential JavaScript issues, and there are other ways to analyze traffic that passes through Tor.
Interested users should also have a look at the EFF's legal issues page about Tor. Though Tor can be used for things like BitTorrent, it is not designed to assist copyright infringement or other illegal activity.
There is still a lot of development ahead for Tor, but it is definitely worth a look for users who are interested in anonymous communication on the Internet. Users with bandwidth to spare are also encouraged to set up and run a Tor server to help test its scalability and to help provide a larger Tor network. See the download page for Tor packages and source code.
New vulnerabilities
apache-utils: htpasswd buffer overflow
| Package(s): | apache-utils | CVE #(s): | |||||
| Created: | May 26, 2005 | Updated: | June 1, 2005 | ||||
| Description: | The htpasswd utility has a buffer overflow vulnerability. Web sites that use an unchecked public interface to htpasswd can be used to execute arbitrary code with the privileges of the user who runs htpasswd. | ||||||
| Alerts: |
| ||||||
gxine: format string vulnerability
| Package(s): | gxine | CVE #(s): | CAN-2005-1692 | ||||||||
| Created: | May 26, 2005 | Updated: | July 23, 2005 | ||||||||
| Description: | The gxine media player has a format string vulnerability in the hostname decoding function. A specially crafted file can be used to cause a user to execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
ImageMagick: xwd coder denial of service
| Package(s): | ImageMagick | CVE #(s): | CAN-2005-1739 | ||||||||||||||||
| Created: | May 26, 2005 | Updated: | July 19, 2005 | ||||||||||||||||
| Description: | The xwd coder in ImageMagick has a vulnerability that can be accessed by working on a maliciously created image. A denial of service can result. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Mailutils: multiple vulnerabilities in imap4d and mail
| Package(s): | mailutils | CVE #(s): | CAN-2005-1520 CAN-2005-1521 CAN-2005-1522 CAN-2005-1523 | ||||||||
| Created: | May 27, 2005 | Updated: | June 3, 2005 | ||||||||
| Description: | infamous41d discovered several vulnerabilities in GNU Mailutils. imap4d does not correctly implement formatted printing of command tags (CAN-2005-1523), fails to validate the range sequence of the "FETCH" command (CAN-2005-1522), and contains an integer overflow in the "fetch_io" routine (CAN-2005-1521). mail contains a buffer overflow in "header_get_field_name()" (CAN-2005-1520). | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>