TOR and static IP?

Discussion in 'privacy technology' started by TorDude, Nov 23, 2007.

Thread Status:
Not open for further replies.
  1. TorDude

    TorDude Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    2
    I've been looking everywhere to find a forum to ask this question about TOR.

    If these forums are not appropriate I do apologize, but please lead me somewhere I can get help with this?

    I am running TOR with FireFox on an XP machine. (TOR, Vidalia & Privoxy)

    My problem is that when I go to certain sites I am logged out after a short while because TOR has given me a new IP.

    Is there a way to use TOR and keep a static IP so web sites don't log me out because of an IP change?

    Thanks for any and all help :D
     
  2. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    Actually, I believe there is. See all posts from this thread.

    I was complaining that I can't stay logged more than a minute (using XeroBank and Tor network), and the admin explained that was necessary to have the option "Remember my login" marked, even if I was going to erase my cookies after Firefox is closed.

    Checking the "Remember Me?" box causes vBulletin and other places to store two extra cookie values not otherwise saved: bbuserid & bbpassword. Without those, anything that invalidates your session will cause you to be logged out.

    I haven't experienced any problems using boards and sites. However, I believe phpBB forums are worse than vbulettin when it comes to log you out. There's an extension called Secure Login for Mozilla Firefox which have an auto-login feature. You just have to click on the yellow key to log-in again. Use it!
     
  3. TorDude

    TorDude Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    2
    Thank you for your reply.

    But I don't have any problems with forums, like vB.

    It's sites like digg.com and others that look at the IP and log you out if your IP doesn't match your registered IP or one that is in the site's cookie.

    It seems like TOR resets the IP every few minutes and those sites log me out.

    Thanks again!
     
  4. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    To my knowledge you cannot choose an IP with Tor or prevent it from changing. If you use something like xerbank VPN you'll never have that problem.
     
  5. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    There's also another issue that I should warn everyone of you about it. If you are using phpBB and Tor at the same time, check this out.

    The explanation:

    phpBB binds the session to the IP for security reasons, if your IP is changing your session will drop. In phpBB2 you will need to edit the core code to avoid this, phpBB3 had an Admin option where you can reduce or turn off the IP to session binding.

    Above on the link is the alteration for phpBB2, although this reduces security. The security risk is that removing the ip binding could allow someone to spoof/hijack your session. Although this is a mild risk, it is there all the same.
    :)

    So, even if you are selecting the "Remember me" box, you will face those log-outs while using Tor and phpBB, if this was not modified properly according to the previous link.

    Here's another trick for those of you who have phpBB forums.

    If you are allowing "auto logins", and you would like to have the "Log me on automatically each visit" box checked, in file ./templates/**template_name**/index_body.tpl, try this;

    FIND THIS LINE:

    REPLACE WITH:

    That way, your "Remember me" box for automatic logins will be enabled by default, like it's being done here on Wilders.

    As for the other sites, they should modify something similar to this. I have faced several log-outs from a CPanel from a free host, and they stopped once I found another CPanel from another host.

    Those default configurations are messing with Tor users, preventing them to stay logged. :doubt:
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Actually, there are good security reasons for linking cookies with specific IP addresses, despite the inconvenience they cause Tor users...

    When you log into most sites, they give you a cookie typically with a session ID. Presenting that cookie on subsequent page requests then tells the site who you are.

    However a malicious Tor exit node operator could monitor such cookies and use them later to try to impersonate you. Linking logins to IP addresses would stop this, unless that operator was also able to successfully spoof their IP address to match yours.

    Cookie copying is not an issue specific to Tor, anyone with access to any part of the network connection between you and the site concerned can do it. However given the recent press on questionable Tor nodes, it is something to consider.

    And yes, that does mean that a rogue operator could use cookie details to impersonate posters on vBulletin forums like this. ;)

    Tor, by default, will keep an existing circuit open for 10 minutes before switching but existing connections will keep to the same circuit, as long as it works (see here). You can however adjust this - see the "MaxCircuitDirtiness" option on the Tor Manpage.
     
    Last edited: Feb 16, 2008
Loading...
Thread Status:
Not open for further replies.