Re: [tor-talk] Getting de-anonymized with SSH (J. S. Evans)

2018-04-09 Thread grarpamp
Users really need to dissect and understand how
each method of constraining application traffic to tor
works before choosing one, then set it up and test
extensively before use. And deploying an out of band
managed catchall packet filter is essential to helping
prevent eventual IP leaks.

Four common methods for ssh are...

kernel agnostic - the above global packet filters
kernel scoped to userland - aorta on linux, or roll your own on bsd
library mangling - torsocks, not for static compiled apps
application rtfm [1] - ssh_config Host and ProxyCommand

They all should be capable of capturing whatever ssh emits,
however each box, config, usage and user is different.

Last... SSH often involves a live bidirectional terminal
and X connection to a potentially adversarial remote machine...


[1] An application's proxy configs are nice when they work
as claimed "all traffic", but they often fail that spec till many
oops tickets later, or break from version to version.
Most simple unix tools like OpenSSH are not an issue.
Skype / Vuze / similar bling on Windows... no comment.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Re: [tor-talk] Getting de-anonymized with SSH (J. S. Evans)

2018-04-08 Thread jsevans

Hello, first of all, thank you for the feedback.


On 2018-04-08 15:40, Me wrote:

It can be complicated. Tor itself provides a multi-hop anonymizing TCP
connection, however what your application may or
may not do outside of Tor is uncontrolled, this is why the Tor Browser
is recommended for use instead of simply proxying
your regular browser through Tor, TBB is designed to minimize
undesired side channels.

Your question really is asking about undesired side channels, so the
answer is, "It Depends". I'm not trying to be
flippant, it can be complicated. For example if you client application
checks server SSH certificates for status (CRL &
OCSP) then you have two immediate concerns: (1) is the OCSP check
routing outside of Tor, thus potentially
de-anonymizing you immediately, (2) Even if the cert check runs
through Tor, do you ever access it outside of Tor,
creating a potential for correlation. This is why there is still
ongoing discussion of whether one should use certs
within Tor.


I would like to be specific what I have in mind. In /etc/tor/torrc, I 
uncomment these lines:


HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22

I then start the tor service and block port 22 with my local firewall so 
no normal TCP traffic goes to it.


I only access it remotely via "torsocks ssh x.onion"

I wasn't thinking about potential issues with the certificate. Thanks 
for bringing that up, I'll look into that. Vanilla telnet might be an 
option. Obviously, you would never do that in the open internet, but 
it's not such a bad idea within the confines of Tor and it's inherent 
security.




Another common side channel is DNS. Does the address resolution happen
outside Tor (unfortunately a common error), in
which case you're immediately de-anonymized. Even if it takes place
within Tor, do you ever use it outside of Tor, again
creating a potential for correlation.


From what I can tell, torsocks acts like a wrapper around the 
application that I am trying to use, in the case of my example, it is 
only the ssh client in most Linux distros. Does torsocks block or 
intercept DNS requests or does it just allow those requests to go 
through Tor? If it's just a passive proxy, I will need to research how 
to keep the ssh client from trying to use DNS.





Then there is more esoteric concerns such as the potential for traffic
analysis. Does you application create a periodic
pattern of traffic bursts that could be correlated? This would require
some pretty heavy effort, but not impossible. Do
you have a Hidden Service that comes up and goes down in sync with a
public presence?

Last but not least, there are many executable products that run on
your local machine, like JavaScript, that may
de-anonymize, intentionally or otherwise, that are not obvious, such
as: PDF documents, MS Office documents, and others.
It's important to set your routing rules to allow ONLY your expected
Tor connects and disallow everything else.



I don't think this would be an issue in my situation as there would be 
one application only using Tor and not the entire system.



Message: 1
Date: Sun, 8 Apr 2018 02:40:22 -0600
From: "J. S. Evans" 
To: 
Subject: [tor-talk] Getting de-anonymized with SSH
Message-ID: <000701d3cf15$3e1c6ef0$ba554cd0$@gardeng.nom.es>
Content-Type: text/plain;   charset="us-ascii"

Hi all,

First of all, I know that the best way to stay anonymous on Tor when
browsing the web is to use the Tor Browser and be smart about how you 
use

it.
What about when you're not using the web? If I am using ssh over Tor, 
is
there a good chance that I can be de-anonymized? By this I mean ssh to 
an

onion service not to the external internet.
I would think that it is more safe than the web since you don't have 
to

worry about things like javascript, etc.

Am I correct, or are there other things that I am not aware of? 
Thanks!


Jason


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Re: [tor-talk] Getting de-anonymized with SSH (J. S. Evans)

2018-04-08 Thread Me
It can be complicated. Tor itself provides a multi-hop anonymizing TCP 
connection, however what your application may or
may not do outside of Tor is uncontrolled, this is why the Tor Browser is 
recommended for use instead of simply proxying
your regular browser through Tor, TBB is designed to minimize undesired side 
channels.

Your question really is asking about undesired side channels, so the answer is, 
"It Depends". I'm not trying to be
flippant, it can be complicated. For example if you client application checks 
server SSH certificates for status (CRL &
OCSP) then you have two immediate concerns: (1) is the OCSP check routing 
outside of Tor, thus potentially
de-anonymizing you immediately, (2) Even if the cert check runs through Tor, do 
you ever access it outside of Tor,
creating a potential for correlation. This is why there is still ongoing 
discussion of whether one should use certs
within Tor.

Another common side channel is DNS. Does the address resolution happen outside 
Tor (unfortunately a common error), in
which case you're immediately de-anonymized. Even if it takes place within Tor, 
do you ever use it outside of Tor, again
creating a potential for correlation.

Then there is more esoteric concerns such as the potential for traffic 
analysis. Does you application create a periodic
pattern of traffic bursts that could be correlated? This would require some 
pretty heavy effort, but not impossible. Do
you have a Hidden Service that comes up and goes down in sync with a public 
presence?

Last but not least, there are many executable products that run on your local 
machine, like JavaScript, that may
de-anonymize, intentionally or otherwise, that are not obvious, such as: PDF 
documents, MS Office documents, and others.
It's important to set your routing rules to allow ONLY your expected Tor 
connects and disallow everything else.

> Message: 1
> Date: Sun, 8 Apr 2018 02:40:22 -0600
> From: "J. S. Evans" 
> To: 
> Subject: [tor-talk] Getting de-anonymized with SSH
> Message-ID: <000701d3cf15$3e1c6ef0$ba554cd0$@gardeng.nom.es>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi all,
>
> First of all, I know that the best way to stay anonymous on Tor when
> browsing the web is to use the Tor Browser and be smart about how you use
> it.
> What about when you're not using the web? If I am using ssh over Tor, is
> there a good chance that I can be de-anonymized? By this I mean ssh to an
> onion service not to the external internet.
> I would think that it is more safe than the web since you don't have to
> worry about things like javascript, etc.
>
> Am I correct, or are there other things that I am not aware of? Thanks!
>
> Jason
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk