(c) 2011-2012 Bernd Fix >Y<

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

A number of clients "C_n" want to sent documents to a receiver "R" by using a web browser (file upload). An eavesdropper "E" wants to know which "C_n" communicates with "R" and what information was exchanged.

Hide the fact that "C_n" communicates with "R" from "E" and protect the information exchanged.

1. "E" may know that a "C_n" wants to communicate with "R"

2. "E" knows all information given by "R" to "C_n" on how to communicate; this especially includes the IP address of the server to which the document should be uploaded by "C_n" and any additional technical settings and advice given to "C_n".

3. "E" has no (physical/logical) access to the computers of "C_n" or "R".

4. "E" has the capabilities to monitor all possible net traffic involved.

5. "C_n" is technically able to follow any technical instruction given by "R" on how to communicate (what applications to use, what configuration settings to be applied,...)

1. "R" operates a computer that runs a "TOR exit node" and a "SID" instance to receive the documents (via HTTP/POST requests) on the same machine. This setup is similar to the (no longer officially supported) TOR enclaved server scheme. Traffic from the TOR exit node to the SID instance is not visible from the outside.

2. "C_n" needs to install a TOR browser bundle on his/her computer once (and keep it up-to-date with appropriate security updates). "C_n" also needs to modify the TOR configuration file (torrc) on the computer to allow the .exit address scheme involved ("AllowDotExit 1").

3. If "C_n" want to sent a document, the following steps have to be performed:

   • "C_n" uses the TOR-enabled browser to connect to "SID" by specifying the TOR address of the server in a special notation called a DotExit address. This ensures that the TOR circuit builder will use the TOR exit node of "R" for communication with the SID instance.

   • For all communication between "C_n" and the SID instance, a cover communication is generated between the SID instance and a "Cover Server". The "Cover Server" is not a server operated by "R" but is a public web server on the Internet. Traffic between SID and the "Cover Server" look exactly like traffic between the "TOR exit node" and the "Cover Server"; this way "E" has to believe that "C_n" is talking to the cover server by looking at packet timing and size analysis.

     To enhance security, it is possible to "torify" the cover traffic by sending it across the Tor network to the cover server. Since the cover traffic and the client communication is matched in packet sizes and timing as much as possible, the new Tor trafiic will look like the SID node is an intermediate Tor node for "C_n" (see the COVER_HIDING document).

... can be found in the "docs/" folder