Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Oops, Milan - you did it again. You remind me of those IRC users that feel the need to publicly announce that they're placing someone on IGNORE... and then never actually do it, because then the ignored user might say something mean about them and the IGNORing user wouldn't be able to make their awesome comeback. If your grammar and syntax are as bad in programming languages as in English, you must be a real liability to employ. 2009/12/16 Milan Berger m.ber...@project-mindstorm.net On Wed, 16 Dec 2009 00:54:44 +1100 dramacrat yirim...@gmail.com wrote: *first at all, send to the list please not to me personally and list in cc.* * * *Ignoring the grammar, that's exactly what you just did. And what I just did, because that's default client behavior on a Reply-To-All. * my junk filter feels happy to get more morons. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Can't you guys quit with the witty personal remarks and discuss security? Seriously, I didn't subscribe for this list just to get personal attacks. On Wed, Dec 16, 2009 at 9:12 AM, dramacrat yirim...@gmail.com wrote: Oops, Milan - you did it again. You remind me of those IRC users that feel the need to publicly announce that they're placing someone on IGNORE... and then never actually do it, because then the ignored user might say something mean about them and the IGNORing user wouldn't be able to make their awesome comeback. If your grammar and syntax are as bad in programming languages as in English, you must be a real liability to employ. 2009/12/16 Milan Berger m.ber...@project-mindstorm.net On Wed, 16 Dec 2009 00:54:44 +1100 dramacrat yirim...@gmail.com wrote: *first at all, send to the list please not to me personally and list in cc.* * * *Ignoring the grammar, that's exactly what you just did. And what I just did, because that's default client behavior on a Reply-To-All. * my junk filter feels happy to get more morons. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Christian Sciberras wrote: Seriously, I didn't subscribe for this list just to get personal attacks. You're on the wrong list then... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Hmm. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. I wonder where I've read that... Regards. On Wed, Dec 16, 2009 at 10:26 AM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Christian Sciberras wrote: Seriously, I didn't subscribe for this list just to get personal attacks. You're on the wrong list then... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Christian Sciberras to me: Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. I wonder where I've read that... So, knowing that, you decided to post your deeply security-illuminating Seriously, I didn't subscribe for this list just to get personal attacks comment, _to the list_? You're clearly a bigger moron than your initial comment suggests! Thanks for pointing that out to us... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
I don't recall insulting anyone. How does that count as a personal attack to anyone? I'm no moderator and can't point out anything to someone in particular, I keep talking in general. If you think I'd get down low and insult anyone, spare it. Regards, Christian Sciberras. On Wed, Dec 16, 2009 at 10:47 AM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Christian Sciberras to me: Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. I wonder where I've read that... So, knowing that, you decided to post your deeply security-illuminating Seriously, I didn't subscribe for this list just to get personal attacks comment, _to the list_? You're clearly a bigger moron than your initial comment suggests! Thanks for pointing that out to us... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
May I call your attention on this: http://images.google.de/images?sourceid=chromeq=arguing+on+the+internet ? Regards 2009/12/16 Christian Sciberras uuf6...@gmail.com I don't recall insulting anyone. How does that count as a personal attack to anyone? Regards, Christian Sciberras. On Wed, Dec 16, 2009 at 10:47 AM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Christian Sciberras to me: Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. I wonder where I've read that... So, knowing that, you decided to post your deeply security-illuminating Seriously, I didn't subscribe for this list just to get personal attacks comment, _to the list_? You're clearly a bigger moron than your initial comment suggests! Thanks for pointing that out to us... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
A few words of wisdom I suppose... On Wed, Dec 16, 2009 at 2:14 PM, Jan G.B. ro0ot.w...@googlemail.com wrote: May I call your attention on this: http://images.google.de/images?sourceid=chromeq=arguing+on+the+internet ? Regards 2009/12/16 Christian Sciberras uuf6...@gmail.com I don't recall insulting anyone. How does that count as a personal attack to anyone? Regards, Christian Sciberras. On Wed, Dec 16, 2009 at 10:47 AM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Christian Sciberras to me: Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. I wonder where I've read that... So, knowing that, you decided to post your deeply security-illuminating Seriously, I didn't subscribe for this list just to get personal attacks comment, _to the list_? You're clearly a bigger moron than your initial comment suggests! Thanks for pointing that out to us... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Google Chrome ... DNS ... sent to the system's configured DNS cache. that is why #1 at top of big red WARNING box about using Tor properly says: https://www.torproject.org/download.html.en#Warning 1. Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn't magically anonymize all your traffic just because you install it. We recommend you use Firefox with the Torbutton extension. the only way to avoid DNS leaks despite most application configuration is a transparent Tor proxy that intercepts all DNS and TCP at the network layer and performs a redirect to the Tor Tcp and DNS Ports. (see man page.) Bullshit. Tor proxies are a) not the best way b) many apps like firefox enable using proxy for dns as well as other connections. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
On Tue, 15 Dec 2009 10:14:31 +0100, Milan Berger said: the only way to avoid DNS leaks despite most application configuration is a transparent Tor proxy that intercepts all DNS and TCP at the network layer and performs a redirect to the Tor Tcp and DNS Ports. (see man page.) Bullshit. Tor proxies are a) not the best way b) many apps like firefox enable using proxy for dns as well as other connections. Not bullshit at all. Taking the points in reverse order: (b) Note that 'many apps means mostly avoid, not totally avoid. You run any app that's not DNS-proxy aware, you just leaked and whoever you're using Tor to avoid is now potentially pounding on your door. Sure, the difference doesn't matter if you're using Tor to be a cool wanker. But if you're using Tor because it *matters*, 98% of apps get it right themselves is a big *fail*. You really want to enforce 100% correctness whether the app is correct or not. (Stated in another way - sometimes DAC just doesn't cut it, and you really *do* want the added complication of MAC). (a) If you have a better way than a Tor proxy to avoid DNS leaks from programs that don't DNS-proxy themselves, feel free to actually *tell* us what it is, rather than just babble they aren't the best way. Given you got the *other* point totally wrong, we have no reason to believe a content-free 'not the best way' unless you actually have an evaluatable statement like 'XYZ is better'. pgpVnRgwGJXh1.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Hi Vlad, first at all, send to the list please not to me personally and list in cc. (a) If you have a better way than a Tor proxy to avoid DNS leaks from programs that don't DNS-proxy themselves, feel free to actually *tell* us what it is, rather than just babble they aren't the best way. Given you got the *other* point totally wrong, we have no reason to believe a content-free 'not the best way' unless you actually have an evaluatable statement like 'XYZ is better'. I think there are better ways than TOR this is what I actually said. 'not the best way' meant TOR. Hope this explains it much better. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
*first at all, send to the list please not to me personally and list in cc.* * * *Ignoring the grammar, that's exactly what you just did. And what I just did, because that's default client behavior on a Reply-To-All. * 2009/12/16 Milan Berger m.ber...@project-mindstorm.net Hi Vlad, first at all, send to the list please not to me personally and list in cc. (a) If you have a better way than a Tor proxy to avoid DNS leaks from programs that don't DNS-proxy themselves, feel free to actually *tell* us what it is, rather than just babble they aren't the best way. Given you got the *other* point totally wrong, we have no reason to believe a content-free 'not the best way' unless you actually have an evaluatable statement like 'XYZ is better'. I think there are better ways than TOR this is what I actually said. 'not the best way' meant TOR. Hope this explains it much better. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net Humboldtstrasse 69 90459 Nuremberg Germany Tel.: +49 911 27 56 381 Mob.: +49 176 22 98 76 02 http://www.project-mindstorm.net http://www.digital-bit.ch twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
The point is besides the fact that you can configure Chrome to proxy through Tor or anything else, Chrome is not supposed to leak DNS - it's a bug that Firefox currently does not have for instance. Many users use proxies to avoid corporate and other firewalls, and to prevent leakage of information a suppressive government will throw them in jail for - China for instance. Tor just makes a good example. IT IS IMPORTANT FOR UNWITTING USERS TO KNOW ABOUT THIS BUG. They may be thinking that Chrome is safe for proxies. The other OT issue about Chrome is of course even despite you using a proxy the right way all the real information about you will be found on Google's servers anyway because Chrome has a lot of hidden information collecting eggs that Google won't talk about. The company has decided that privacy does not matter long time ago. And if it does matter for you - well according to Google then you are a criminal. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Nix, Proxies are not a security technology in the way you think they are. Way back in the day, NAT didn't exist. In order for large numbers of users to share small number of IP addresses, application layer gateways -- proxies -- needed to be written such that a backend client could ask for connectivity through the one host on the network that had direct Internet access. Some of these proxies were protocol specific (HTTP, FTP, Gopher), and some were more generic (SOCKS4/5). While there were toolkits that allowed transparent proxying to be loaded into any network application -- so called socksifiers -- they were always a little unstable and obtuse. So any application that wanted to function in a corporate environment eventually got proxy support built right into the UI. This wasn't for security. It was the 90's, nobody did *anything* for security. It was just for connectivity. There are some implications to this. While the UI declares proxies MAY be used, it doesn't actually mean they MUST be used. More protocols than HTTP are accessible via the web browser. Do you think SMB uses the browser configured proxies? What about Flash and Java sockets? And even if they did use the proxies, SOCKS4 didn't even support remote DNS in its first incarnation; that supported was added unofficially in SOCKS4a and officially in SOCKS5. To this day, Firefox can't turn remote DNS on by default, because so many of the proxies have buggy implementations of it. The TOR guys are aware of all of this, of course. The approach they've been working on has been to virtualize the entire network stack of the Windows instance behind a Linux VM. That's the only real way to prevent leaks. Playing whack-a-mole at the application layer is ultimately pointless. If you want to prevent network traffic from leaking, you really need full access to all traffic. --Dan On Tue, Dec 15, 2009 at 1:01 PM, nixlists nixmli...@gmail.com wrote: The point is besides the fact that you can configure Chrome to proxy through Tor or anything else, Chrome is not supposed to leak DNS - it's a bug that Firefox currently does not have for instance. Many users use proxies to avoid corporate and other firewalls, and to prevent leakage of information a suppressive government will throw them in jail for - China for instance. Tor just makes a good example. IT IS IMPORTANT FOR UNWITTING USERS TO KNOW ABOUT THIS BUG. They may be thinking that Chrome is safe for proxies. The other OT issue about Chrome is of course even despite you using a proxy the right way all the real information about you will be found on Google's servers anyway because Chrome has a lot of hidden information collecting eggs that Google won't talk about. The company has decided that privacy does not matter long time ago. And if it does matter for you - well according to Google then you are a criminal. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
On Tue, Dec 15, 2009 at 9:39 PM, Dan Kaminsky d...@doxpara.com wrote: Nix, Proxies are not a security technology in the way you think they are. They're not, but many still use the browsers' proxy features hoping for more anonymity and avoidance of data sniffing. Most users are not security experts. They are not able or are not allowed to use VPNs and such. leaks. Playing whack-a-mole at the application layer is ultimately pointless. If you want to prevent network traffic from leaking, you really need full access to all traffic. It's pointless from the viewpoint of a security expert, not an everyday computer user that uses these features thinking it's harder to sniff traffic. Application bugs like this still need to be disclosed and fixed. No? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Google Chrome 3.0.195.33 has DNS pre-fetching feature enabled by default. If a user is using Chrome with a proxy, the DNS queries must go through the proxy by design, but with the DNS pre-fetching enabled they are still sent to the system's configured DNS cache. This seems also true for the SOCKS proxy in Chromium regardless of whether DNS pre-fetching is enabled or not as shown here: http://code.google.com/p/chromium/issues/detail?id=29914 I have not verified the SOCKS proxy issue. This presents a serious risk for the users of the services such as Tor, as their DNS data and the little anonymity they have with tor is leaked outside and in the clear. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
On Mon, Dec 14, 2009 at 12:45 PM, nixlists nixmli...@gmail.com wrote: Google Chrome ... DNS ... sent to the system's configured DNS cache. that is why #1 at top of big red WARNING box about using Tor properly says: https://www.torproject.org/download.html.en#Warning 1. Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn't magically anonymize all your traffic just because you install it. We recommend you use Firefox with the Torbutton extension. the only way to avoid DNS leaks despite most application configuration is a transparent Tor proxy that intercepts all DNS and TCP at the network layer and performs a redirect to the Tor Tcp and DNS Ports. (see man page.) RTFM FTW ... but never hurts to point out the obvious i guess... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/