On Sat, 2 May 2015 20:37:17 -0700 coderman coderman@gmail.com wrote:
a friend and i are working on a Tor router design that doesn't compromise anonymity for convenience. [0][1][2][3][4]
we're soliciting feedback as part of a go / no-go decision on continuing this effort.
in particular, the design is intended to meet the scrutiny of Nick M., Roger, and Mike P. as the focus on support for Tor Browser and Tor on each client indicates.
I am bored so I figured I would read this big document, here are some comments from somebody who doesn't matter:
1.3 > Warning conditions:
Is the "Client privacy leak detected" meaning the software would warn in the case of a LAN client attempting to make an unsecured connection or leak DNS data or somteihng like that? Provided the leak never makes it off the routing device, then I think that is an acceptable warning but if it leaves the device that's a pretty critical error in my opinion.
2.4 > Device software and configuration technical requirements
"Require VPN on local WiFi and Ethernet network " does this mean VPN connection to the router itself, as in establishing an IPSec tunnel from LAN_1 --> [Router] before any layer four traffic is allowed? I see the FAQ about Wifi, which makes sense, but extending the VPN requirement to the physical network I find odd.
I suggest also adding mandatory audit logging to the scope of the router software. In my opinion any and all state changes, whether automatic (Tor circuit change) or manual (administrator changing configuration) must be logged.
2.5/2.6 > Privacy Directory Requirements
Is the expectation that every client attached to the router would be running this privacy directory software or only the router administrator(s)? In the former case, is there any bad exit indication that could/would be made to the clients?
How is authentication and authorization of this privacy director software going to be performed with the router? In 1.2 the router would be passwordlessly set up, but after that how would an administrator ensure that only they are able to mutate the device set up?
Also "Filter local traffic that is not Tor when active", does this mean that the privacy director software will require escalated privileges on the numerous platforms into order to modify local firewall states?
Interesting effort, good luck
-warms0x