Re: Chrome and Safari IP leak
On Tue, Dec 07, 2010 at 05:12:57PM +0100, Karsten N. wrote: a warning for using Google Chrome, Safari or other Webkit based browsers with Tor. Because of a bug in the FTP proxy settings user can deanonymized by FTP links. [snip] May be, Torproject.org can blog a warning for Tor users too. Let me be even broader: if you want to be safe, you must never use Tor with any browser except Firefox, and you must also use Torbutton. If you don't do both, you can lose from a wide variety of application-level attacks. See also https://www.torproject.org/download/download#warning --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Chrome and Safari IP leak
On Tue, 7 Dec 2010, Roger Dingledine wrote: Let me be even broader: if you want to be safe, you must never use Tor with any browser except Firefox, and you must also use Torbutton. If you don't do both, you can lose from a wide variety of application-level attacks. Wait, what about lynx ? I can't be safe by running lynx inside of a jail with no routable IP ? (10.10.10.10) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Chrome and Safari IP leak
On Tue, Dec 07, 2010 at 11:12:37PM +, John Case wrote: Let me be even broader: if you want to be safe, you must never use Tor with any browser except Firefox, and you must also use Torbutton. If you don't do both, you can lose from a wide variety of application-level attacks. Wait, what about lynx ? I can't be safe by running lynx inside of a jail with no routable IP ? (10.10.10.10) Sorry, I've been talking to too many ordinary users lately. :) I don't know of any problems with lynx. I think you'll still want to think about topics like cookies and whether your http headers make you recognizable. Take a look through https://www.torproject.org/torbutton/design/ for more topics to think about. Web browsers like 'wget' should also be pretty safe in general. But somebody needs to analyze them in more detail. --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Chrome and Safari IP leak
Thus spake Roger Dingledine (a...@mit.edu): On Tue, Dec 07, 2010 at 11:12:37PM +, John Case wrote: Wait, what about lynx ? I can't be safe by running lynx inside of a jail with no routable IP ? (10.10.10.10) Sorry, I've been talking to too many ordinary users lately. :) I don't know of any problems with lynx. I think you'll still want to think about topics like cookies and whether your http headers make you recognizable. Take a look through https://www.torproject.org/torbutton/design/ for more topics to think about. Web browsers like 'wget' should also be pretty safe in general. But somebody needs to analyze them in more detail. Turns out that wget can be 302d between schemes to cause you to bypass proxy settings. For example, if you have the $HTTP_PROXY environment variable set but nothing for $HTTPS_PROXY, a 302 to an https url will cause you to bypass proxy. I wouldn't be surprised if the same could happen for an ftp url. So the answer is Just because you think your program is simple doesn't mean it is. We haven't fully audited anything other than Firefox, but we do know most of it isn't safe. Robert Hogan *has* audited a few more apps, but only in conjuction with his 'torsocks' utility: http://code.google.com/p/torsocks/ It looks like wget also has a note there about unsafe HTTP headers.. Not sure exactly what it is sending. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpcAKE6upAiT.pgp Description: PGP signature
Re: Chrome and Safari IP leak
Thus spake Karsten N. (tor-ad...@privacyfoundation.de): a warning for using Google Chrome, Safari or other Webkit based browsers with Tor. Because of a bug in the FTP proxy settings user can deanonymized by FTP links. As Roger said, Chrome is not yet supported. We're working with Google to change this: https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting But thanks for reporting this bug. Turns out it already has a ticket in Chrome's bug tracker, but I wasn't aware of it: https://code.google.com/p/chromium/issues/detail?id=11227 I've added it to our list of Chrome issues at: https://trac.torproject.org/projects/tor/ticket/1925 I will also ping the lead developer for Chrome proxy settings. Unfortunately, they are currently on leave until early next year I believe. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpP9L0mv6t4Q.pgp Description: PGP signature
Re: Wget (was Chrome and Safari IP leak)
On Tue, 07 Dec 2010 15:34 -0800, Mike Perry mikepe...@fscked.org wrote: Turns out that wget can be 302d between schemes to cause you to bypass proxy settings. For example, if you have the $HTTP_PROXY environment variable set but nothing for $HTTPS_PROXY, a 302 to an https url will cause you to bypass proxy. I wouldn't be surprised if the same could happen for an ftp url. Interesting. If I have in .wgetrc https_proxy = http://127.0.0.1:8118 redirection still fails: wget -O - https://paypal.com/ --00:27:52-- https://paypal.com/ = `-' Resolving 127.0.0.1... 127.0.0.1 Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 301 Moved Permanently Location: https://www.paypal.comhttps://paypal.com/ [following] Is that a PayPal problem or a Wget problem? GD -- http://www.fastmail.fm - Choose from over 50 domains or use your own *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/