Matt Pagan commited on 2013-12-20 01:42:12
Zeige 1 geänderte Dateien mit 140 Einfügungen und 6 Löschungen.
... | ... |
@@ -90,6 +90,11 @@ tells |
90 | 90 |
been compromised.</a></li> |
91 | 91 |
<li><a href="#NeedToUseAProxy">My internet connection requires an HTTP |
92 | 92 |
or SOCKS Proxy</a></li> |
93 |
+ <li><a href="#CantSetProxy">What should I do if I can't set a proxy |
|
94 |
+ with my application?</a></li> |
|
95 |
+ <li><a href="#WarningsAboutSOCKSandDNSInformationLeaks">I keep seeing |
|
96 |
+ these warnings about SOCKS and DNS information leaks. Should I |
|
97 |
+ worry?</a></li> |
|
93 | 98 |
</ul> |
94 | 99 |
|
95 | 100 |
<p>Advanced Tor usage:</p> |
... | ... |
@@ -180,6 +185,8 @@ relay.</a></li> |
180 | 185 |
provide?</a></li> |
181 | 186 |
<li><a href="#CanExitNodesEavesdrop">Can exit nodes eavesdrop on |
182 | 187 |
communications? Isn't that bad? </a></li> |
188 |
+ <li><a href="#AmITotallyAnonymous">So I'm totally anonymous if I use |
|
189 |
+ Tor?</a></li> |
|
183 | 190 |
<li><a href="#ExitEnclaving">What is Exit Enclaving?</a></li> |
184 | 191 |
<li><a href="#KeyManagement">Tell me about all the keys Tor |
185 | 192 |
uses.</a></li> |
... | ... |
@@ -1402,8 +1409,8 @@ recent logins and wondering if you actually logged in at those times. |
1402 | 1409 |
<hr> |
1403 | 1410 |
|
1404 | 1411 |
<a id="NeedToUseAProxy"></a> |
1405 |
-<h3><a class="anchor" href="#NeedToUseAProxy">My internet connection requires an HTTP |
|
1406 |
- or SOCKS Proxy</a></h3> |
|
1412 |
+<h3><a class="anchor" href="#NeedToUseAProxy">My internet connection |
|
1413 |
+requires an HTTP or SOCKS Proxy</a></h3> |
|
1407 | 1414 |
|
1408 | 1415 |
<p> |
1409 | 1416 |
You can set Proxy IP address, port, and authentication information in |
... | ... |
@@ -1417,9 +1424,9 @@ if they're the same proxy.) Tor also recognizes the torrc options |
1417 | 1424 |
Socks4Proxy and Socks5Proxy. |
1418 | 1425 |
</p> |
1419 | 1426 |
<p> |
1420 |
-Also check out HTTPProxyAuthenticator and HTTPSProxyAuthenticator if your |
|
1421 |
-proxy requires auth. We only support basic auth currently, but if you need |
|
1422 |
-NTLM authentication, you find <a |
|
1427 |
+Also read up on the HTTPProxyAuthenticator and HTTPSProxyAuthenticator |
|
1428 |
+options if your proxy requires auth. We only support basic auth currently, |
|
1429 |
+but if you need NTLM authentication, you may find <a |
|
1423 | 1430 |
href="http://archives.seul.org/or/talk/Jun-2005/msg00223.html">this post |
1424 | 1431 |
in the archives</a> useful. |
1425 | 1432 |
</p> |
... | ... |
@@ -1431,6 +1438,70 @@ to restrict what ports your Tor will try to access. |
1431 | 1438 |
|
1432 | 1439 |
<hr> |
1433 | 1440 |
|
1441 |
+<a id="CantSetProxy"></a> |
|
1442 |
+<h3><a class="anchor" href="#CantSetProxy">What should I do if I can't |
|
1443 |
+set a proxy with my application?</a></h3> |
|
1444 |
+ |
|
1445 |
+<p> |
|
1446 |
+On Unix, we recommend you give <a |
|
1447 |
+href="https://github.com/dgoulet/torsocks/">torsocks</a> a try. |
|
1448 |
+Alternative proxifying tools like <a |
|
1449 |
+href="http://www.dest-unreach.org/socat/">socat</a> and <a |
|
1450 |
+href="http://proxychains.sourceforge.net/">proxychains</a> are also |
|
1451 |
+available.</p> |
|
1452 |
+<p> |
|
1453 |
+The Windows way to force applications through Tor is less clear. <a |
|
1454 |
+href="http://freecap.ru/eng/">Some</a> <a |
|
1455 |
+href="http://www.freehaven.net/~aphex/torcap/">tools</a> have been <a |
|
1456 |
+href="http://www.crowdstrike.com/community-tools/index.html#tool-79">proposed |
|
1457 |
+</a>, but we'd also like to see further testing done here. |
|
1458 |
+</p> |
|
1459 |
+ |
|
1460 |
+<hr> |
|
1461 |
+ |
|
1462 |
+<a id="WarningsAboutSOCKSandDNSInformationLeaks"></a> |
|
1463 |
+<h3><a class="anchor" href="#WarningsAboutSOCKSandDNSInformationLeaks">I |
|
1464 |
+keep seeing these warnings about SOCKS and DNS information leaks. |
|
1465 |
+Should I worry?</a></h3> |
|
1466 |
+<p> |
|
1467 |
+The warning is: |
|
1468 |
+</p> |
|
1469 |
+<p> |
|
1470 |
+Your application (using socks5 on port %d) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via Polipo or socat) instead. |
|
1471 |
+</p> |
|
1472 |
+<p> |
|
1473 |
+If you are running Tor to get anonymity, and you are worried about an attacker who is even slightly clever, then yes, you should worry. Here's why. |
|
1474 |
+</p> |
|
1475 |
+<p> |
|
1476 |
+<b>The Problem.</b> When your applications connect to servers on the Internet, they need to resolve hostnames that you can read (like www.torproject.org) into IP addresses that the Internet can use (like 209.237.230.66). To do this, your application sends a request to a DNS server, telling it the hostname it wants to resolve. The DNS server replies by telling your application the IP address. |
|
1477 |
+</p> |
|
1478 |
+<p> |
|
1479 |
+Clearly, this is a bad idea if you plan to connect to the remote host anonymously: when your application sends the request to the DNS server, the DNS server (and anybody else who might be watching) can see what hostname you are asking for. Even if your application then uses Tor to connect to the IP anonymously, it will be pretty obvious that the user making the anonymous connection is probably the same person who made the DNS request. |
|
1480 |
+</p> |
|
1481 |
+<p> |
|
1482 |
+<b>Where SOCKS comes in.</b> Your application uses the SOCKS protocol to connect to your local Tor client. There are 3 versions of SOCKS you are likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5 (which usually uses IP addresses in practice), and SOCKS 4a (which uses hostnames). |
|
1483 |
+</p> |
|
1484 |
+<p> |
|
1485 |
+When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP address, Tor guesses that it 'probably' got the IP address non-anonymously from a DNS server. That's why it gives you a warning message: you probably aren't as anonymous as you think. |
|
1486 |
+</p> |
|
1487 |
+<p> |
|
1488 |
+<b>So what can I do?</b> We describe a few solutions below. |
|
1489 |
+</p> |
|
1490 |
+<ul> |
|
1491 |
+<li>If your application speaks SOCKS 4a, use it. </li> |
|
1492 |
+<li>If you only need one or two hosts, or you are good at programming, you may be able to get a socks-based port-forwarder like socat to work for you; see <a href="https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO">the Torify HOWTO</a> for examples. </li> |
|
1493 |
+<li>Tor ships with a program called tor-resolve that can use the Tor network to look up hostnames remotely; if you resolve hostnames to IPs with tor-resolve, then pass the IPs to your applications, you'll be fine. (Tor will still give the warning, but now you know what it means.) </li> |
|
1494 |
+<!-- I'm not sure if this project is still maintained or not |
|
1495 |
+ |
|
1496 |
+<li>You can use TorDNS as a local DNS server to rectify the DNS leakage. See the Torify HOWTO for info on how to run particular applications anonymously. </li> |
|
1497 |
+!--> |
|
1498 |
+</ul> |
|
1499 |
+<p> |
|
1500 |
+ If you think that you applied one of the solutions properly but still experience DNS leaks please verify there is no third-party application using DNS independently of Tor. Please see <a href="#AmITotallyAnonymous">the FAQ entry on whether you're really absolutely anonymous using Tor</a> for some examples. |
|
1501 |
+</p> |
|
1502 |
+ |
|
1503 |
+<hr> |
|
1504 |
+ |
|
1434 | 1505 |
<a id="torrc"></a> |
1435 | 1506 |
<h3><a class="anchor" href="#torrc">I'm supposed to "edit my torrc". |
1436 | 1507 |
What does that mean?</a></h3> |
... | ... |
@@ -3085,8 +3156,71 @@ diversity, |
3085 | 3156 |
|
3086 | 3157 |
<hr> |
3087 | 3158 |
|
3159 |
+ <a id="AmITotallyAnonymous"></a> |
|
3160 |
+ <h3><a class="anchor" href="#AmITotallyAnonymous">So I'm totally anonymous |
|
3161 |
+ if I use Tor?</a></h3> |
|
3162 |
+ |
|
3163 |
+ <p> |
|
3164 |
+ <b>No.</b> |
|
3165 |
+ </p> |
|
3166 |
+ <p> |
|
3167 |
+ First, Tor protects the network communications. It separates where you |
|
3168 |
+ are from where you are going on the Internet. What content and data you |
|
3169 |
+ transmit over Tor is controlled by you. If you login to Google or |
|
3170 |
+ Facebook via Tor, the local ISP or network provider doesn't know you |
|
3171 |
+ are visiting Google or Facebook. Google and Facebook don't know where |
|
3172 |
+ you are in the world. However, since you have logged into their sites, |
|
3173 |
+ they know who you are. If you don't want to share information, you are |
|
3174 |
+ in control. |
|
3175 |
+ </p> |
|
3176 |
+ |
|
3177 |
+ <p> |
|
3178 |
+ Second, active content, such as Java, Javascript, Adobe Flash, Adobe |
|
3179 |
+ Shockwave, QuickTime, RealAudio, ActiveX controls, and VBScript, are |
|
3180 |
+ binary applications. These binary applications run as your user account |
|
3181 |
+ with your permissions in your operating system. This means these |
|
3182 |
+ applications can access anything that your user account can access. Some |
|
3183 |
+ of these technologies, such as Java and Adobe Flash for instance, run in |
|
3184 |
+ what is known as a virtual machine. This virtual machine may have the |
|
3185 |
+ ability to ignore your configured proxy settings, and therefore bypass |
|
3186 |
+ Tor and share information directly to other sites on the Internet. The |
|
3187 |
+ virtual machine may be able to store data, such as cookies, completely |
|
3188 |
+ separate from your browser or operating system data stores. Therefore, |
|
3189 |
+ these technologies must be disabled in your browser to use Tor safely. |
|
3190 |
+ </p> |
|
3191 |
+ <p> |
|
3192 |
+ That's where the <a |
|
3193 |
+ href="https://torproject.org/projects/torbrowser.html.en">Tor Browser |
|
3194 |
+ Bundle</a> comes in. We produce a web browser that is preconfigured to |
|
3195 |
+ help you control the risks to your privacy and anonymity while browsing |
|
3196 |
+ the Internet. Not only are the above technologies disabled to prevent |
|
3197 |
+ identity leaks, the Tor Browser also includes browser extensions like |
|
3198 |
+ NoScript and Torbutton, as well as patches to the Firefox source |
|
3199 |
+ code. The full design of the Tor Browser can be read <a |
|
3200 |
+ href="https://www.torproject.org/projects/torbrowser/design/">here</a>. |
|
3201 |
+ In designing a safe, secure solution for browsing the web with Tor, |
|
3202 |
+ we've discovered that configuring any other browser for use with Tor <a |
|
3203 |
+ href="#TBBOtherBrowser">is not safe</a>. |
|
3204 |
+ </p> |
|
3205 |
+ |
|
3206 |
+ <p> |
|
3207 |
+ Alternatively, you may find a Live CD or USB operating system more to |
|
3208 |
+ your liking. The Tails team has created an <a |
|
3209 |
+ href="https://tails.boum.org/">entire bootable operating system</a> |
|
3210 |
+ configured for anonymity and privacy on the Internet. |
|
3211 |
+ </p> |
|
3212 |
+ |
|
3213 |
+ <p> |
|
3214 |
+ Tor is a work in progress. There is still <a |
|
3215 |
+ href="https://www.torproject.org/getinvolved/volunteer">plenty of work |
|
3216 |
+ left to do</a> for a strong, secure, and complete solution. |
|
3217 |
+ </p> |
|
3218 |
+ |
|
3219 |
+ <hr> |
|
3220 |
+ |
|
3088 | 3221 |
<a id="ExitEnclaving"></a> |
3089 |
- <h3><a class="anchor" href="#ExitEnclaving">What is Exit Enclaving?</a></h3> |
|
3222 |
+ <h3><a class="anchor" href="#ExitEnclaving">What is Exit Enclaving?</a> |
|
3223 |
+ </h3> |
|
3090 | 3224 |
|
3091 | 3225 |
<p> |
3092 | 3226 |
When a machine that runs a Tor relay also runs a public service, such as |
3093 | 3227 |