Re: Firefox through Tor
Hi Eric, Yes, I am sure about that. When I start up Firefox I get the current IP from ipid.shat.net and the status line tells me that I am using a remote squid-proxy. When I press reload I get the proxy's IP address. Same thing happens when I close Firefox and start up again so cache should have been proxy now... It looks to be a sync problem with the enabling of foxyproxy and the use of the home-page upon startup. I am using an updated Dapper with Firefox 1.5.0.2 Best of luck with the testing! This is not a problem for me now that I know about it, but it should not be there :) - Lasse Eric H. Jung wrote: Hi Lasse, Very strange. I tested this thoroughly so I don't know why you're seeing different results. Are you sure the page isn't cached in Firefox already? Thanks, Eric --- Lasse �verlier [EMAIL PROTECTED] wrote: Hi Eric, This is an important feature announcement in an otherwise great extension: If you have a homepage in the browser loaded upon startup, it does NOT use the foxyproxy settings on this first page! A later reload will be done through foxyproxy... I guess people can see the potential problems themselves. Test http://ipid.shat.net/iponly as startup page. - Lasse
Re: Firefox through Tor
Hi Eric, This is an important feature announcement in an otherwise great extension: If you have a homepage in the browser loaded upon startup, it does NOT use the foxyproxy settings on this first page! A later reload will be done through foxyproxy... I guess people can see the potential problems themselves. Test http://ipid.shat.net/iponly as startup page. - Lasse
Re: Firefox through Tor
Hi Lasse, Very strange. I tested this thoroughly so I don't know why you're seeing different results. Are you sure the page isn't cached in Firefox already? Thanks, Eric --- Lasse �verlier [EMAIL PROTECTED] wrote: Hi Eric, This is an important feature announcement in an otherwise great extension: If you have a homepage in the browser loaded upon startup, it does NOT use the foxyproxy settings on this first page! A later reload will be done through foxyproxy... I guess people can see the potential problems themselves. Test http://ipid.shat.net/iponly as startup page. - Lasse
Re: Firefox through Tor
Thus spake glymr ([EMAIL PROTECTED]): Yes, inverting the filter so that you list only sites that you trust to connect to in the clear is a much safer option (and much easier to implement!), but my guess is that it will be much less popular than the ability to specify the sites you only want to visit through Tor (ie gmail/yahoo/.onion). There in lies the dillemma. what about changing the proxy program so it always runs through privoxy, and having foxyproxy switch the upstream proxy to none or tor. this solves the problem of identifiable information from the beginning because it strips most of the identifiable stuff. you don't even see those evil spy-cookie producing ads with privoxy. if there is any simple way to make it possible to quickly switch privoxy to and from tor that would strengthen the anonymity a lot. I regularly purge tons of cookies from doubleclick, informit, googlesyndication, ad nauseum that have been collected even through privoxy. Unfortunately privoxy really should only be depended upon as a SOCKS to HTTP proxy converter. It is not a reliable privacy tool anymore. I do think that it should be possible to build such a filter though. And it would be very very nice to have. While I'm at it, let me strengthen this statement by saying that such a filter for selective torrification is pretty much a necessity for the simple reason that every Tor user *has* to do all the countermeasures by hand anyway as-is if they ever turn Tor off (which I imagine most of them do, esp during periods of network lag). If an extension such as Foxyproxy can perform these tasks automatically, and can be verified to be performing them correctly each time, this is a vast improvement over everyone doing it by hand (especially for Tor newbies). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Firefox through Tor
I forgot to mention that if a URL doesn't match any patterns defined in FoxyProxy, FoxyProxy *does not* default to a direct connection. Instead, it defaults to the whatever proxy (if any) has been defined in Firefox's Connection Settings. By defining Tor as the proxy in Firefox's Connection Settings, Tor is used as a catch-all for non-matches. I'll shortly be adding blacklist capability to FoxyProxy (it already has whitelist ability). That, in conjunction, with the above catch-all, should provide enough ingredients to come up with some safe recipe for some of the problems both of you describe, no? --- Eric H. Jung [EMAIL PROTECTED] wrote: Hello Michaels, I apologize for the delayed reply. Please don't interpret the delay as a lack of interest--it surely isn't. Quoting Mike Perry: Just clearing cookies every time there is a switch is not enough if there is an automatic Tor filter in place. The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. I hope you'll both agree there's nothing FoxyProxy can do about this. Unless you have a striking relevation which could solve the problem programmatically, I'm just going to add this to the FoxyProxy FAQ as a be careful warning in an attempt to educate. Quoting Mike Perry: See the problem? Yes, I do now. Thank you. Quoting Mike Perry: but if you're asking whether XPCOM allows one to use a proxy on/off based on a page and all its components (images, css files, js files), the answer is yes. Yes, excellent. That is the property that is needed. If you use that level of control, you are fine. OK. I will research this further and post my results, especially regarding the frames/iframes question. Quoting Mike Perry: 2. Links. Say I want to know who [EMAIL PROTECTED] is. I send them a mail (possibly spoofed to look like it's from a previous correspondent of theirs) instructing them to click on some link that I control that no one else has seen. This can happen inadvertantly or accidentally even, I know I've accidentally clicked on an ad banner/stray link here or there. Can you provide some sort of option so that the proxy stays enabled for links clicked from a proxy-enabled page? Would be useful for those of us with over-sensitive touchpads :) This is more difficult, but I've thought of an interesting way to do this. On a related note to this thread, you might find this conversation interesting: http://s9.invisionfree.com/foxyproxy/index.php?showtopic=10 -Eric
Re: Firefox through Tor
Perhaps you could have a foxy proxy frame (this might be what they were talking about) that routes all the traffic in that frame through tor in order to protect users from insecure images etc. On 4/28/06, Eric H. Jung [EMAIL PROTECTED] wrote: Hello Michaels,I apologize for the delayed reply. Please don't interpret the delay asa lack of interest--it surely isn't. Quoting Mike Perry:Just clearing cookies every time there is a switch is not enough ifthere is an automatic Tor filter in place.The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'msure some sites and ad parters do). Therefore identifiying informationis sent independent of the cookie.I hope you'll both agree there's nothing FoxyProxy can do about this. Unless you have a striking relevation which could solve the problemprogrammatically, I'm just going to add this to the FoxyProxy FAQ as abe careful warning in an attempt to educate.Quoting Mike Perry: See the problem?Yes, I do now. Thank you.Quoting Mike Perry: but if you're asking whether XPCOM allows one to use a proxy on/off based on a page and all its components (images, css files, js files), the answer is yes.Yes, excellent. That is the property that is needed. If you use thatlevel of control, you are fine.OK. I will research this further and post my results, especially regarding the frames/iframes question.Quoting Mike Perry:2. Links. Say I want to know who [EMAIL PROTECTED] is. I send them a mail(possibly spoofed to look like it's from a previous correspondent of theirs) instructing them to click on some link that I control that noone else has seen. This can happen inadvertantly or accidentally even,I know I've accidentally clicked on an ad banner/stray link here or there.Can you provide some sort of option so that the proxy stays enabledfor links clicked from a proxy-enabled page? Would be useful for thoseof us with over-sensitive touchpads :) This is more difficult, but I've thought of an interesting way to dothis.On a related note to this thread, you might find this conversationinteresting: http://s9.invisionfree.com/foxyproxy/index.php?showtopic=10-Eric
Re: Firefox through Tor
Thus spake Eric H. Jung ([EMAIL PROTECTED]): Hello Michaels, I apologize for the delayed reply. Please don't interpret the delay as a lack of interest--it surely isn't. Quoting Mike Perry: Just clearing cookies every time there is a switch is not enough if there is an automatic Tor filter in place. The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. I hope you'll both agree there's nothing FoxyProxy can do about this. Unless you have a striking relevation which could solve the problem programmatically, I'm just going to add this to the FoxyProxy FAQ as a be careful warning in an attempt to educate. Depending on the flexibility of XPCOM, it should be possible to solve this problem programatically (but it is error-prone). I probably should summarize everything from this thread again just so you have it all in one place: The way to solve the problem is to make sure that all embedded object links are in fact loaded through the active proxy for the parent tab/page. This includes frames, iframes, css, js, images, java, flash, and other misc plugin objects. Probably some other stuff too. So long as the 'evil' link-object is loaded through Tor, the problem is solved. The assumption is that the information encoded in the link isn't compromising by itself, but that the danger is that the browser will autoload the link in the clear and thus your real IP will be in that server's logs associating you with your Torrified email account. Also, because of accidental clicks, phishing attacks, and referrer urls, user followed links should also be protected. Pretty much anything the user follows from a protected, proxied page should inherit that page's proxy settings (including links followed by opening them in a new tab/window). Lastly, as Michael pointed out, you have to clear all cookies everytime a proxy switch is done (mega bonus points for a mechanism to protect certain cookies from deletion a-la http://cookieculler.mozdev.org/). If you do not do this, a cookie accessed from an ad banner displayed while you are visiting a site in the clear can be transmitted again when you access your email account through Tor, thus ruining your pseudonymity against an adversary with access to the ad server's data (assume everyone). The reverse is also possible, so cookies have to be cleared in each direction of the switch. Even with all these countermeasures, the type of filter where you specify only untrusted/Tor sites is error prone and should carry heavy warnings for people who truly need anonymity, and needs to be tested heavily by vigilant people with a wide variety of usage habits. I do think that it should be possible to build such a filter though. And it would be very very nice to have. I forgot to mention that if a URL doesn't match any patterns defined in FoxyProxy, FoxyProxy *does not* default to a direct connection. Instead, it defaults to the whatever proxy (if any) has been defined in Firefox's Connection Settings. By defining Tor as the proxy in Firefox's Connection Settings, Tor is used as a catch-all for non-matches. I'll shortly be adding blacklist capability to FoxyProxy (it already has whitelist ability). That, in conjunction, with the above catch-all, should provide enough ingredients to come up with some safe recipe for some of the problems both of you describe, no? Yes, inverting the filter so that you list only sites that you trust to connect to in the clear is a much safer option (and much easier to implement!), but my guess is that it will be much less popular than the ability to specify the sites you only want to visit through Tor (ie gmail/yahoo/.onion). There in lies the dillemma. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Firefox through Tor
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Mike Perry wrote: Thus spake Eric H. Jung ([EMAIL PROTECTED]): Hello Michaels, I apologize for the delayed reply. Please don't interpret the delay as a lack of interest--it surely isn't. Quoting Mike Perry: Just clearing cookies every time there is a switch is not enough if there is an automatic Tor filter in place. The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. I hope you'll both agree there's nothing FoxyProxy can do about this. Unless you have a striking relevation which could solve the problem programmatically, I'm just going to add this to the FoxyProxy FAQ as a be careful warning in an attempt to educate. Depending on the flexibility of XPCOM, it should be possible to solve this problem programatically (but it is error-prone). I probably should summarize everything from this thread again just so you have it all in one place: The way to solve the problem is to make sure that all embedded object links are in fact loaded through the active proxy for the parent tab/page. This includes frames, iframes, css, js, images, java, flash, and other misc plugin objects. Probably some other stuff too. So long as the 'evil' link-object is loaded through Tor, the problem is solved. The assumption is that the information encoded in the link isn't compromising by itself, but that the danger is that the browser will autoload the link in the clear and thus your real IP will be in that server's logs associating you with your Torrified email account. Also, because of accidental clicks, phishing attacks, and referrer urls, user followed links should also be protected. Pretty much anything the user follows from a protected, proxied page should inherit that page's proxy settings (including links followed by opening them in a new tab/window). Lastly, as Michael pointed out, you have to clear all cookies everytime a proxy switch is done (mega bonus points for a mechanism to protect certain cookies from deletion a-la http://cookieculler.mozdev.org/). If you do not do this, a cookie accessed from an ad banner displayed while you are visiting a site in the clear can be transmitted again when you access your email account through Tor, thus ruining your pseudonymity against an adversary with access to the ad server's data (assume everyone). The reverse is also possible, so cookies have to be cleared in each direction of the switch. Even with all these countermeasures, the type of filter where you specify only untrusted/Tor sites is error prone and should carry heavy warnings for people who truly need anonymity, and needs to be tested heavily by vigilant people with a wide variety of usage habits. I do think that it should be possible to build such a filter though. And it would be very very nice to have. I forgot to mention that if a URL doesn't match any patterns defined in FoxyProxy, FoxyProxy *does not* default to a direct connection. Instead, it defaults to the whatever proxy (if any) has been defined in Firefox's Connection Settings. By defining Tor as the proxy in Firefox's Connection Settings, Tor is used as a catch-all for non-matches. I'll shortly be adding blacklist capability to FoxyProxy (it already has whitelist ability). That, in conjunction, with the above catch-all, should provide enough ingredients to come up with some safe recipe for some of the problems both of you describe, no? Yes, inverting the filter so that you list only sites that you trust to connect to in the clear is a much safer option (and much easier to implement!), but my guess is that it will be much less popular than the ability to specify the sites you only want to visit through Tor (ie gmail/yahoo/.onion). There in lies the dillemma. what about changing the proxy program so it always runs through privoxy, and having foxyproxy switch the upstream proxy to none or tor. this solves the problem of identifiable information from the beginning because it strips most of the identifiable stuff. you don't even see those evil spy-cookie producing ads with privoxy. if there is any simple way to make it possible to quickly switch privoxy to and from tor that would strengthen the anonymity a lot. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEUt0q+KihKRqTxu4RA9ixAJ0YbMfBClmz0/Oea3b6l3Bdt4OyHgCffkQf Ne+XuSghGhbrTJ1zG8VI6Hk= =QkBk -END PGP SIGNATURE-
Re: Firefox through Tor
Hi Mike, The I2P folks are very vocal against doing exactly this for .i2p addresses. Forgive my ignorance. What is I2P? Unique identifiers can be handed to the ad sites that will associate the torrified email account access with the non-torrified ad server access. True, but I don't see how this is a result of FoxyProxy. IOW, doesn't this problem exist when using Tor exclusively without FoxyProxy? Does XPCOM allow you to solve this problem somehow? I'm not sure I fully understand the problem yet (please elaborate), but if you're asking whether XPCOM allows one to use a proxy on/off based on a page and all its components (images, css files, js files), the answer is yes.
Re: Firefox through Tor
So the problem is that a motivated adversary can subpoena or simply ask DoubleClick to hand over their IP/cookie logs. If you are using Tor for /everything/, then what they get from DoubleClick for that email address is just a Tor IP, no harm no foul. However, if the user had set up a filter that only sends *yahoo.com through Tor, then DoubleClick will have their /real IP/ on file in association with whatever unique ID yahoo passed for that email address, even though yahoo's records show only the Tor IP. Swichproxy (as well as CTRL+SHIFT+DEL) in Firefox will clear all cookies. Anytime you switch between TOR/Direct you should close down to all but one blank window, clear cookies/cache one way or another, and *then* proceed. /mike.
Re: Firefox through Tor
Thus spake Michael Holstein ([EMAIL PROTECTED]): So the problem is that a motivated adversary can subpoena or simply ask DoubleClick to hand over their IP/cookie logs. If you are using Tor for /everything/, then what they get from DoubleClick for that email address is just a Tor IP, no harm no foul. However, if the user had set up a filter that only sends *yahoo.com through Tor, then DoubleClick will have their /real IP/ on file in association with whatever unique ID yahoo passed for that email address, even though yahoo's records show only the Tor IP. Swichproxy (as well as CTRL+SHIFT+DEL) in Firefox will clear all cookies. Anytime you switch between TOR/Direct you should close down to all but one blank window, clear cookies/cache one way or another, and *then* proceed. Just clearing cookies every time there is a switch is not enough if there is an automatic Tor filter in place. The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Firefox through Tor
Thus spake Michael Holstein ([EMAIL PROTECTED]): The problem is that yahoo can custom-generate its links to DoubleClick so they encode your email address (dunno if they do do this, but I'm sure some sites and ad parters do). Therefore identifiying information is sent independent of the cookie. Which is why one should have separate accounts created for anonymous use, and do everything (including setup of those accounts) from an anonymized connection. Once you've touched your anonymous account from a session involving anything that *isn't* anonymous, it's game over. Agreed. This is also why an automatic filter is dangerous if it is not done properly. Just one slip-up, accidental click, etc, and you're toast. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Firefox through Tor
Hi, I'm happy to announce a new Firefox extension which is built with Tor in mind from the ground up. FoxyProxy - http://foxyproxy.mozdev.org I took the things I liked about SwitchProxy, TorButton, ProxyButton, QuickButton, xyzproxy, etc. and added a number of crucial features: * Tor Wizard - now zero configuration to use Firefox with Tor * Define proxy use based on URL patterns using wildcards and/or regular expressions: now you can route *.onion domains and web mail accounts (gmail, yahoo, etc) through Tor but not CNN and Slashdot, for example, without having to constantly change Firefox's proxy settings. * Define multiple proxies * No more wondering whether or not a URL loaded through a proxy: FoxyProxy includes a complete log of all URLs loaded, including which proxy was used, which pattern was matched, timestamps, etc. * Temporarily or permanently dedicate all URLs to go through a particular proxy * Temporarily or permanently disable use of a proxy * FoxyProxy hooks directly into Firefox via XPCOM--this yields much greater performance than the de facto standard of updating about:config preferences programmatically (used by every other proxy extensions I could find) * Lots more I hope you enjoy it. I look forward to your comments. Sincerely, Eric H. Jung