JAP,TOR,Socks proxy ,tunneling and Stunnel

Discussion in 'privacy general' started by Pollmaster, Nov 20, 2004.

Thread Status:
Not open for further replies.
  1. Pollmaster

    Pollmaster Guest

    http://www.panta-rhei.dyndns.org/pantawiki/SecurityAndEncryptionFaq

    Is a very interesting and detailed guide on how to use Tor,provixy,Stunnel , freecap and DCPP

    It's great, but I'm still a bit unclear about the following points, perhaps the privacy gurus here can explain.

    1) What is the major difference between JAP and TOR? Is it merely that Tor is a socks proxy that allows a suitably "sockified" app to connect with it, while JAP is strictly for HTTP only?

    2) When you sockify a app and run it through TOR , your isp is hidden from whatever you connect to right? But what about your ISP? Can it see where you are connecting to? Or does it merely see you connecting to the socks proxy?

    3)What is tunneling?

    4)Stunnel appears to encrypt connections so no-one can see what is being sent right? How does this interact with Tor or JAP?

    Thanks
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    1. JAP is an HTTP proxy but can handle HTTP, HTTPS and FTP protocols. It has a limited number of mixes you can connect to so performance can be slow. The client is written in Java so should run on any system where a Java Runtime Environment is available. All traffic is encrypted using 128-bit AES. The JAP client may soon be able to connect to Tor servers (see the comment about JAP at the bottom).

      Tor uses SOCKS and has more servers available. It should be able to handle any application that can be SOCKSified (not just web/file transfers). Versions are available for Linux/UNIX and Windows but not others (Apple OSX users may be able to use the FreeBSD version). All traffic is encrypted using 128-bit AES.
    2. Since both Tor and JAP encrypt traffic, all your ISP should be able to see is the encrypted traffic being sent to the first Tor node/JAP mix.
    3. Tunneling is using one protocol to carry headers and data for another - for example you could include file transfer protocol commands within an HTTP request to allow it to pass through a firewall that only allowed HTTP. For tunneling to work, it must go to a server that "unwraps" the protocol at the other end. Tunneling can include encryption and authentication but does not have to.
    4. Stunnel allows you to tunnel network connections within an SSL (HTTPS) connection providing encryption. It must connect to a stunnel server which then decrypts the data. It does not provide anonymity on its own but a network of stunnel servers randomly routing data between themselves multiple times should give the same level of protection as Tor or JAP.
     
  3. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    So far Tor has been working the best for me. I used it with SocksCap and usually dont notice any slowdown at all. Tor also seems to take up less resources than Jap. I have been using Tor for every single application that uses the net with no problems whatsoever (msn/icq/aim/sonork/winamp streams/various updates/browser/etc.) but I am sure it has it's limits.
     
  4. Pollmaster

    Pollmaster Guest

    Yeah seems to work great. For other than web browsing, I;m using freecap/wincap plus Tor

    Though I often get a warning in the Tor console about "your application is giving Tor only an Ip address. Applications that do DNS resolving themselves may leak info. Consider using socks4A(eg via prioxy or socat) instead

    What implications does this have?

    I suppose it means for sure that my ISP can know where I'm going, by watching what DNS lookups my apps are doing correct?

    But does it also enable my destination servers to guess where I'm going from ? As you can see I have only a vague idea how DNS looks is done.

    Also you mention in another post that web-browser+proxomitron (sockified) takes the place of privoxy . How do you do it? When I do it , gives me a error message about Tor not handling HTTP proxy.

    What I did was to point my browser firefox to
    127.0.0.1 ,8080 (proxo listens on this). I ran proxomitron from sockscap. Then in proxomitron i set it to use the remote proxy 127.0.0.1 ,9050. What did i do wrong?
     
  5. Pollmaster

    Pollmaster Guest

    I just knew I could count on you to answer the questions with the details.

    It seems to me that, there are 3 seperate concerns to privacy and security when using such measures

    1) Can your ISP see where you are connecting to?

    2) Can your destination figure out your orginating ip

    3) Are the contents you send secure against prying eyes on route?

    I'm less concerned with 1, but it's nice to have if possible.

    If I use Tor or JAPS I'm automatically assued of 1)+2) no? But it won't protect the contents from being intercepted between the last mix and the final destination?

    What if I use a simple annoymizer service? Or just Stunnel?
     
  6. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Very interesting technical discussion, this. I use eXtraDNS so I can bypass my ISP's DNS logs (I assume) and The Proxomitron (Altosax filters, must get new ones - recommendations for a set that works with Hotmail, please?) which then goes via JAP's Dresden-ULD. I also have Anonymizer 2004, which (I guess) bypasses all the above. Worries me a bit to put my trusted eggs in one basket, must admit. Thinking of using a port bridge to force everything through JAP... Can't find a personal "free" mailserver that doesn't require registration...just how anonymous can it be if it demands to know your details, for Pity's sake?

    I really don't care about slow performance - we get broadband next year. More concerned about living my own life without someone else thinking I'm their bloody property, :cool:
     
  7. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    No need to enable the Remote Proxy in Proxomitron ;)

    If you run it socksified with SocksCap, it'll work.
     
  8. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Install SocksCap and change its settings to localhost:9050 for Socks5
    This will make all programs run with SocksCap connect through Tor on port 9050

    Click to add a program and find Proxomitron
    Once you have it added drag the Proxomitron icon from SocksCap to your desktop to create a shortcut
    Then you just click on that shortcut to run Proxomitron under SocksCap
    Do not use the remote proxy in Proxomitron, SocksCap will make it all automatic for you
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If the DNS server owner logs requests, then they can keep track of your lookups. This can give them a partial picture of your web activity (I say partial since most PCs cache DNS lookup results so will not do a lookup every time a site is visited and lookups are needed for almost all network activities, not just web access). You could avoid this by overriding your network settings and specifying a public DNS server (like OpenRSC or OpenNIC) but performance may be slower (the server would not be local and may be more heavily loaded).
    Destination websites will have no idea of DNS activity. Someone running a website could also administer the DNS server responsible for providing its address (known as the authoritatve server) which can give them an idea of where lookups are coming from - however for most users, the first DNS server they contact (which would be their ISP's in most cases) would contact the authoritative server itself to obtain (and then cache) the results - so at best, they could tell which ISP you were using if they could link the DNS lookup with your subsequent page request (which is unlikely since it would be coming from a different network if you used JAP/Tor).

    This is known as a recursive DNS lookup - it is also possible to do an iterative lookup where the first DNS server simply supplies the address of the authoritative DNS server leaving it up to your system to query it, but this form of lookup is normally only used between DNS servers.
    They will be able to see a connection to the first server of JAP or Tor but not where they connect to in turn - so they will not know the ultimate destination. Assuming that you are running a firewall, this should report the same information - as will a netstat command run from a command prompt window.
    Not from the traffic alone - it will appear to come from the last server in Tor/JAP. However Java or Javascript can be used to find this information from your browser (hence the reason for using Proxomitron or another web filter to stop this). To see what information your browser reveals, visit a site like BrowserSpy or Leader Network Tools.

    It is also possible for a webpage to include Java/Javascript code designed to cause a browser to make a direct connection bypassing any proxies. Aside from blocking all Java/Javascript, the best defence against this is to use your firewall to restrict your browser to contacting the proxy only.
    While encrypted, yes. However since the desintation expects unencrypted traffic, the final stage (between the last Tor/JAP server and the destination) will be in the clear. For someone to identify it as your traffic though, they need to monitor every server of Tor/JAP and perform traffic analysis to link it with your (encrypted) incoming request. The only groups with these sort of resources are likely to be the TLA agencies (hence both Tor/JAP warn against relying on their systems for "strong anonymity"). However to prevent ISP logging or website tracking, these systems should be more than adequate.
    Since these only involve one intermediate server (rather than a whole network), traffic analysis is much easier - meaning that they would offer less anonymity. However (as mentioned above) a network of Stunnel servers routing connections at random would give equivalent protection (this is basically how Tor/JAP work).
    Thanks for that! I had configured Proxomitron to use Tor as a remote proxy and was scratching my head as to why it wasn't working. Now it does. :) It would be nice to avoid having to use SocksCap though - the splash screen on startup and its time-restricted functionality are somewhat annoying. However if the JAP client gains Tor functionality that would definitely be the best of both worlds...
     
  10. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    The only time I get "Your application (using socks x on port x) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A..." is when I don't connect through Proxomitron (eg. aim). Does this mean that Proxomitorn is doing its DNS through Tor?
     
  11. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    It's so funny, now everything on "http://gemal.dk/browserspy/headers.cgi" is like:

    None of the IPs are mine, my browser is Firefox, and my language is Canadian :D
     
  12. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I would just like to say that with SocksCap set to resolve all addresses remotely it lets Tor do the job. You can test this by going to a false url and watching the Tor window try to resolve it.
     
  13. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    And now I've installed Sockscap...even though I haven't got a clue how to use it! Is it possible to coordinate all or most of the above with Sockscap to achieve privacy and anonymity?

    Thank you, O Knowledgeable Ones!

    P.S. Know what would really be neat? If my ISP only ever directed my traffic to one, and only one, address on the Internet - in an encrypted stream. Kind of moving all my ports (DNS, HTTP etcetera) out of my machine and onto a remote server. Thanks.
     
    Last edited: Nov 22, 2004
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Check the Setting up Tor/Proxomitron+SocksCap thread for configuration details.
    Ah, but if your ISP was doing the encryption, they'd be able to peek inside and see what you were up to wouldn't they? ;)
     
  15. Pollmaster

    Pollmaster Guest

    Thanks Paranoid2000, pretty much the answers I expected, nice of you to confirm them.


    Now let me return the favour.

    I've being playing with both freecap http://www.freecap.ru/eng/?p=index and sockscap.

    Freecap is a open source free software. It has no splash screen, and is 100% free.

    I've sockified some of my apps via both freecap and sockscap, and compared them. Some work in one but not the other and vice versa. In particular I have one software that starts a child processe and when using freecap, the child process is sockified automatically, but not when using sockscap (apparantly).

    On the other hand, I read in another thread where John mentioned the trick of dragging the app in sockscap to the desktop. This doesn't seem to result in a splash screen.

    I just noticed in both sockscap and wincap you can select socks5 , what does that do?,
     
  16. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
  17. Pollmaster

    Pollmaster Guest

    Just curious, anyone here had sucuess with sockifying your email client, then using it to send smtp via Tor?

    I can't seem to get it to work. Most of the smtp servers I use, add my ip address to the headers, and once I even had a nasty experience where the guy i replied to via email said he port scanned me.
     
  18. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Last edited: Nov 22, 2004
  19. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    ISPs don't do encryption! Clients and servers do! (Or am I missing something here?)
     
  20. Pollmaster

    Pollmaster Guest


    Thanks . I have the same problem. I have played with quicksilver before, but I prefer to use smtp via my normal email client.
     
  21. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Thanks for the pointer - I'll check Freecap out. :)
    This could be related to ASPack (a runtime compression tool) - programs using it didn't work with FreeCap but the latest version apparently works around this on WinNT/2K/XP systems.
    Even if one did exist, it most likely would not work since most ISPs limit access to their SMTP servers to their own IP addresses only (otherwise they would get relay-raped by spammers). Many ISPs offer a webpage for email access however (and there is Mail2Web for those that don't) and these should be accessible from Tor, if you wish to keep using your ISP email.

    I'd also recommend checking out SpamGourmet which allows you to create throwaway accounts where messages get relayed to your main email address - this is an anti-spam solution (if you give a different address to each website you correspond with, you know who to blame when one starts receiving spam), not an anonymiser (your real email address is still visible in the email headers) but a useful addition nonetheless.

    One problem I have encountered is that your IP address can change quite frequently with Tor. Some websites (like SpamGourmet) do use your address to identify your session so you may keep getting logged out. If you encounter this, try using JAP for that site to confirm if this is the cause (with JAP, your IP address only changes if you switch mix servers).
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    BTW, just checked the IP address on a forum post I made using Tor...

    "The IP Address is: 194.70.3.60. The host name is: the.dogs.bollo.cx."

    Gotta love some of those domain names. :D
     
  23. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Language is Canadian? You mean English?
     
  24. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Paranoid, Nothing is more useful to me and has changed my surfing and email life as much as Spam Gourmet. It is an incredible service. Thanks for your very useful posts in this thread. I think you are right on target. I use them all some, but have found the commercial proxies like Primedius and FindNot.com are far speedier and I get mad when the software solutions timeout or slow way down. Good stuff though and you do a great job of explaining to those new to JAP, TOR, Stunnel and others.

    Cheers.
    Gerard
     
  25. Pollmaster

    Pollmaster Guest

    Not really since the emails i'm testing are not ISPish SMTP servers. As a result they use other methods to authenticate rather than just restricting by ip ranges.

    Sure, but that's defeats the purpose of using POP/SMTP.

    I use spamgourmet, but this is a different matter. I want to stop smtp servers from adding my ip address to the headers. SG actually does this too I think, but in a very round about method.
     
Loading...
Thread Status:
Not open for further replies.