Skip to content

prevent protocol leaks; Tor client connection API or protocol review howto

I am unhappy with the current Torify instructions.

The big bittorrent leak may happen to any application, which has not been explicitly designed for Tor or reviewed by someone. That's why safe use of Tor is at the moment somewhat limited to the few applications designed over Tor (Tor Browser) or reviewed for use over Tor.

Two ideas will follow how to solve this problem. One or another may work as solution. Feel free to propose other/better/easier/faster solutions.

Proposal 1: Write a howto, how to review an application and protocol for leak free use over Tor. "The protocol/application has to be reviewed." - That is much to vague, even for the application's developer.

For example, would the xchat developers answer "xchat over Tor: do not use dcc/ctcp... it leaks your IP/timezone..."?

What we easily could do for many applications, would be asking the application's developers. But even them could be confused by the question. The paper should define, what a protocol leak is, how to look out for them, how to prevent them.

This would hopefully enable the application developers to answer to the question regarding the protocol leak status. And if they don't want to review their own application, third party contributors could review the protocol.

Proposal 2: Provide an alternate interface for applications. An alternative to socks. Either an API or libery for developers. i2p does also provide one and loads of applications are build on top of i2p. Why there are not so many applications designed for Tor? Because there is neither an API nor an libery.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information