Re: Stripping code with Privoxy (was: Warnings on the download page)
Freemor [EMAIL PROTECTED] wrote: I've been watching this thread with some interest and as the Talk of mis-onfigured browsers and mis-behaving plug-ins grew I found myself thinking that there must be an easier way to fix the problem. It occured to me that what is needed (at least until a more permenant solution can be found) is a way to stop the offending material from making it to a potentially misconfigured application. So I started thinking about another proxy in the chain to strip all java and java script etc.. it then occured to me that Privoxy can most likely do this if a much more strict action file were written. so my questions are: 1 - Can a modified actions file be made that would strip all Java/javascript, flash, steaming media, etc. From looking at the Privoxy documentation it looks possible so far (but I'm no privoxy guru) There are too many different ways to embed or reference code in HTML. Creating such a Privoxy filter would take a lot of time and I doubt that it would ever work reliable enough to be remotely useful, even if you ignore the fact that it would only work for HTTP anyway. The filter would only remove the stuff its creators knew about, and while that may (or may not) be a lot, it would still default to permit. Default permit is OK when it comes to blocking ads and other minor annoyances, but it's a really bad idea when it comes to security: http://www.ranum.com/security/computer_security/editorials/dumb/ 2 - If 1 is possible wouldn't it be easiest to include the stricter action file in the tor/privoxy/vidalia bundle. Tell people look, a lot of stuff isn't going to fly.. but trust us.. you don't want it too If people wouldn't want this stuff, they shouldn't install the plugins in the first place and disable remote code execution in the browser. Don't want to get owned because of Java, PDF, flash or whatever? Just don't install the plugins. Can't trust your browser if JavaScript is enabled? Just disable it. It's that simple. Fabian signature.asc Description: PGP signature
Re: Warnings on the download page
On Thu, Mar 08, 2007 at 07:17:09PM -0600, Mike Perry wrote: The current simplest advice I can give people is to remove all plugins: http://tor.eff.org/download.html.en#Warning Do you have any suggestions on safe ways to back off from that? I have a couple more points - the second browser phrase should link to http://portableapps.com/apps/internet/firefox_portable because otherwise it's not really easy to have a second firefox installed. I hear from people on OS X who use Firefox for safe stuff and Safari or something else for non-safe stuff. They seem happy enough. I'm not comfortable recommending portable firefox yet, due to a problem that Steven Murdoch found a while ago: when firefox starts up, it hunts around on your hard drive to see if there are any plugins, and then it enables those. I think there are some ways to disable this behavior, but it's not disabled by default... so it's not so easy as just adding a link. :( Also, isn't Portable Firefox Windows-only? Or am I confused? I think we should also mention that we do scan the exits to try to verify they are behaving well, but we may miss some. How often are you doing this scanning at this point? Speaking of which, a frequently asked question that isn't answered on the FAQ is: I'm pretty sure my exit node is screwing with me. How do I figure out which exit node it is? My answers so far have been - Run at loglevel info and go look through all the stuff that makes no sense to you. Not so easy. - Use Vidalia's Network Map window and watch which circuit your stream is connecting to. Easy -- if you use Vidalia. - Connect to the control port manually and ask for stream and circuit events and then let it scroll. When something goes wrong, look at the output and piece it back together. Any ideas on a more foolproof approach? :) --Roger
Re: Warnings on the download page
On Thu, Mar 08, 2007 at 08:33:29PM -0600, H D Moore wrote: Seems like two big items I need to add to decloak are Flash and the shiny no-proxy Java connection mode (which seems to apply to TCP sockets only). What does the current Torpark ship with? It would seem like a hardened version of Firefox would be good to use. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: Warnings on the download page
Thus spake Roger Dingledine ([EMAIL PROTECTED]): Also, isn't Portable Firefox Windows-only? Or am I confused? True, just going for what I assume is the majority of our userbase first. Especially people who are going to have difficulty with this stuff. Was also in a rush and didn't check out the plugin thing right away, sorry. I think we should also mention that we do scan the exits to try to verify they are behaving well, but we may miss some. How often are you doing this scanning at this point? Couple times a week for overnight runs. Pretty much whenever I add new functionality to the stats gatherering system I do an SSL + http scan with the old perl scanner controlling the new python core before checkin. The problem is the http scanner itself is MD5 based, and it does nothing to find nodes that deliberately target dynamic content.. So maybe I'm doing nothing of substance at this point. Speaking of which, a frequently asked question that isn't answered on the FAQ is: I'm pretty sure my exit node is screwing with me. How do I figure out which exit node it is? My answers so far have been - Run at loglevel info and go look through all the stuff that makes no sense to you. Not so easy. - Use Vidalia's Network Map window and watch which circuit your stream is connecting to. Easy -- if you use Vidalia. - Connect to the control port manually and ask for stream and circuit events and then let it scroll. When something goes wrong, look at the output and piece it back together. Any ideas on a more foolproof approach? :) Heh. I haven't had much luck with 'foolproof' anything lately. It definitely shouldn't be anything other than in-memory. It would be nice is Vidalia had a list of recently used exits and a list if IPs visited for each (with some expiration time of like 5 min?) Even with Vidalia it is hard to open the network window while the stream is still attached to your circuit. Usually by the time you notice its long closed. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
I've been watching this thread with some interest and as the Talk of mis-onfigured browsers and mis-behaving plug-ins grew I found myself thinking that there must be an easier way to fix the problem. It occured to me that what is needed (at least until a more permenant solution can be found) is a way to stop the offending material from making it to a potentially misconfigured application. So I started thinking about another proxy in the chain to strip all java and java script etc.. it then occured to me that Privoxy can most likely do this if a much more strict action file were written. so my questions are: 1 - Can a modified actions file be made that would strip all Java/javascript, flash, steaming media, etc. From looking at the Privoxy documentation it looks possible so far (but I'm no privoxy guru) 2 - If 1 is possible wouldn't it be easiest to include the stricter action file in the tor/privoxy/vidalia bundle. Tell people look, a lot of stuff isn't going to fly.. but trust us.. you don't want it too Just wondering Freemor -- Freemor [EMAIL PROTECTED] Freemor [EMAIL PROTECTED] This e-mail has been digitally signed with GnuPG signature.asc Description: This is a digitally signed message part
Re: Warnings on the download page
On 9 Mar 2007 03:21:05 -0600, Mike Perry wrote: Just tested windows media player 10 plugin, which I believe is installed by default on pretty much every windows box.. It ignores proxy settings. Great. I found most applications on a Windows system respect the settings configured under Internet Options (i.e., XP SP 2 under Control Panel-Internet Options-Connections-LAN settings, or through IE7 on XP SP2 under Tools-Internet Options-Connections-LAN settings). I have also found that most applications on a Windows system know nothing about Firefox's proxy settings. I am not writing this from a Windows box, but I wonder if WM10 is the same. Also, I tend to firewall off all connections that go to the outside world when using Tor, except those connections by Tor itself. On Windows, I generally use per application settings through my personal firewall. For example, Firefox is configured to only be permitted to connect to the local system, not the outside world, and WM10 is not permitted to connect to anything. Not perfect by any means, but it helps to prevent accidents. -Andrew
Re: Warnings on the download page
This would have to support all sorts of variations for media files: document.location = something.ext meta refresh URL=something.ext iframe src=something.ext frame src=something.ext img src=something.ext (some cases) bgsound=something.ext ..etc Seems easier to lock down the browser and prevent any and all media/plugins from executing. -HD On Friday 09 March 2007 11:37, Freemor wrote: 1 - Can a modified actions file be made that would strip all Java/javascript, flash, steaming media, etc. From looking at the Privoxy documentation it looks possible so far (but I'm no privoxy guru)
Re: Warnings on the download page
--- Freemor [EMAIL PROTECTED] wrote: so my questions are: 1 - Can a modified actions file be made that would strip all Java/javascript, flash, steaming media, etc. From looking at the Privoxy documentation it looks possible so far (but I'm no privoxy guru) (Note: Mr. Keil is the authority on Privoxy in this list so he may have better information.) Privoxy doesn't filter HTTPS and IMO that makes Privoxy a non-starter in regards to filtering. IMO all filtering, User-Agent spoofing, etc should be handled by the browser (about:config is your friend) because the HTTP/S protocol is filtered. The 'warning' intro Mr. Perry and Mr. Dingledine wrote should be followed. http://tor.eff.org/download.html.en#Warning These are the extensions I use: TorButton CookiesCuller QuickJava NoScript Flashblock AdBlockPlus Filterset G. Updater RefControl (spoof referrer) http://www.stardrifter.org/refcontrol/ I have my about:config edited to spoof my User-Agent Cheers, Get your own web address. Have a HUGE year through Yahoo! Small Business. http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
Warnings on the download page (was: yet another tor attack)
On Wed, Mar 07, 2007 at 02:14:33PM -0600, Mike Perry wrote: The Tor download page should have a concice Things to know before downloading section that lists a few key points about the most easy ways your identity can be revealed through Tor. Something like Mike and I just whipped up an early version of this here: http://tor.eff.org/download.html.en#Warning (Thanks Mike!) Let us know if you have any fixes or more issues to list. Eventually this should get its own page, with more details, etc, and then we can put just a concise summary (ha ha) on the download page. There are so many permutations of applications out there...it's depressing sometimes how hard it is to secure the whole Internet. Also, somebody should write up a page with recommendations for configurations/etc of common applications that work well with Tor, for tasks other than web browsing -- Gaim comes to mind first for AIM + IRC, and we can recommend OTR at the same time. What else is a very common task by Tor users who need basic documentation? We probably shouldn't try to document Torifying mail delivery at this point (other than use web mail) or Skype (don't bother, stick with web browsing). This document could be based on http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO but needs to be simpler and more right. I'm guessing the somebody will end up being me, but if you send me drafts/notes/etc it'll happen faster. :) Whee, --Roger
Re: Warnings on the download page
My suggestions as a no-tech user: Perhaps the Warning should be put on top of the page, before the download links - sometimes people don't go further than the download links. Also, might I suggest NoScript to be used in conjunction with QuickJava? And please add a line reminding users to reload the page if they use QuickJava. NoScript reloads automatically but not QuickJava. About the evil exit nodes, these extensions might help detect false pages: HostIP.Geolocation plugin, netcrafttoolbar, FormFox, and Shazou. FormFox is somewhat paranoid and not always accurate, but it serves as a reminder of thinking before clicking submit. About mail client: I configure my Thunderbird 995 and 465, same server name for pop and smtp, with Torbutton. So far I have had no problem retrieving and sending. There have been mentions in this list about problems with smtp, so maybe I am missing something. Am I blithely assuming my getting and sending mail through tor and SSL? About Windows (sorry guys) security, set up a normal user account for browsing, like they do in Linux. Change Administrator to some other moniker and set a password. And disable remote administration if you don't need this enabled. Voila, my 2centsworth. Roger Dingledine [EMAIL PROTECTED] wrote: On Wed, Mar 07, 2007 at 02:14:33PM -0600, Mike Perry wrote: The Tor download page should have a concice Things to know before downloading section that lists a few key points about the most easy ways your identity can be revealed through Tor. Something like Mike and I just whipped up an early version of this here: http://tor.eff.org/download.html.en#Warning - Inbox full of unwanted email? Get leading protection and 1GB storage with All New Yahoo! Mail.
Re: Warnings on the download page
Thus spake sy16 ([EMAIL PROTECTED]): My suggestions as a no-tech user: Perhaps the Warning should be put on top of the page, before the download links - sometimes people don't go further than the download links. Also, might I suggest NoScript to be used in conjunction with QuickJava? And please add a line reminding users to reload the page if they use QuickJava. NoScript reloads automatically but not QuickJava. The problem with NoScript is that it is incredibly complex, and unless you configure it properly (which is NOT the default), it is really no protection against an attack like Moore's. The default whitelist is enough for him to abuse. A bad tor node can fake any host it wants. Even worse, it is possible to THINK you are configuring NoScript properly and make yourself even more insecure. For example, the addons.mozilla.org people got the brilliant idea to transmit extensions over http (even though the site itself is https). They verify MD5s using javascript that runs on the https connection.. If you disable javascript for them, you are downloading extensions without any verification :(. Unfortunately, QuickJava by itself is not enough to disable java launched from a moore-style attack. http://metasploit.com/research/misc/decloak/ actually builds the applet html in a hidden div using javascript. QuickJava lets it through.. On the plus side, Sun Java 5.0r10 seems to obey SOCKS for his datagramsocket test, which is a huge surprise... Who knows if the same can be said for MS Java. This last point puts us in a catch-22. Personally, I think even if we could describe to people how to use NoScript, it is going to be waay too much of a hassle and too error prone to work reliabily for the average user, especially as more and more sites go AJAX with no other option. On the plus side, the author of QuickJava has also authored an anonymity extension for anonmouse. Perhaps he would be amenable to fixing his extension against moore's on-the-fly HTML generation. However his email address is not listed on the author page :( About the evil exit nodes, these extensions might help detect false pages: HostIP.Geolocation plugin, netcrafttoolbar, FormFox, and Shazou. FormFox is somewhat paranoid and not always accurate, but it serves as a reminder of thinking before clicking submit. About mail client: I configure my Thunderbird 995 and 465, same server name for pop and smtp, with Torbutton. So far I have had no problem retrieving and sending. There have been mentions in this list about problems with smtp, so maybe I am missing something. Am I blithely assuming my getting and sending mail through tor and SSL? About Windows (sorry guys) security, set up a normal user account for browsing, like they do in Linux. Change Administrator to some other moniker and set a password. And disable remote administration if you don't need this enabled. Yea, these are good ideas for a second page. But on the front page we just want a few paragraphs that covers all the bases. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page (Re: QuickJava update req)
--- Mike Perry [EMAIL PROTECTED] wrote: Perhaps he would be amenable to fixing his extension against moore's on-the-fly HTML generation. However his email address is not listed on the author page :( Well it looks like Mr. Greene prefers to receive feature requests on his blog, not email. He seems very open to feature requests and suggestions: Quote Mr. Green: -- Please leave comments for feature requests here to be considered. -- Mr. Green's blog entry page: http://www.blogger.com/comment.g?blogID=17969172postID=112982970672088922 Cheers, lightzoo Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121
Re: Warnings on the download page (Re: QuickJava update req)
Thus spake light zoo ([EMAIL PROTECTED]): --- Mike Perry [EMAIL PROTECTED] wrote: Perhaps he would be amenable to fixing his extension against moore's on-the-fly HTML generation. However his email address is not listed on the author page :( Well it looks like Mr. Greene prefers to receive feature requests on his blog, not email. He seems very open to feature requests and suggestions: Quote Mr. Green: -- Please leave comments for feature requests here to be considered. -- Mr. Green's blog entry page: http://www.blogger.com/comment.g?blogID=17969172postID=112982970672088922 Yeah, I left a feature request for him. http://quickjavaplugin.blogspot.com/2006/12/features-requested.html On further investigation his plugin seems to rely on the Firefox setting 'security.enable_java', so perhaps he would have direct ability in fixing this bug.. But on the plus side, maybe the fact that this setting is under 'security' and can still be bypassed will warrant prompt response from the Firefox team.. I'm probably occupied for today.. If anyone wants to test this option for firefox 1.5 and 2.0 latest with moore's page please do so and post here. Note it's hard to tell if the applet is running. You probably have to use wireshark and filter on udp while hitting the page with tor disabled. The udp packet is to red.metasploit.com. It is easy to see with a filter of 'udp'. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page (Re: QuickJava update req)
Thus spake Mike Perry ([EMAIL PROTECTED]): Thus spake light zoo ([EMAIL PROTECTED]): --- Mike Perry [EMAIL PROTECTED] wrote: Perhaps he would be amenable to fixing his extension against moore's on-the-fly HTML generation. However his email address is not listed on the author page :( Well it looks like Mr. Greene prefers to receive feature requests on his blog, not email. He seems very open to feature requests and suggestions: Quote Mr. Green: -- Please leave comments for feature requests here to be considered. -- Mr. Green's blog entry page: http://www.blogger.com/comment.g?blogID=17969172postID=112982970672088922 Yeah, I left a feature request for him. http://quickjavaplugin.blogspot.com/2006/12/features-requested.html On further investigation his plugin seems to rely on the Firefox setting 'security.enable_java', so perhaps he would have direct ability in fixing this bug.. But on the plus side, maybe the fact that Err. rather he probably has NO direct ability to fix it. this setting is under 'security' and can still be bypassed will warrant prompt response from the Firefox team.. I'm probably occupied for today.. If anyone wants to test this option for firefox 1.5 and 2.0 latest with moore's page please do so and post here. Note it's hard to tell if the applet is running. You probably have to use wireshark and filter on udp while hitting the page with tor disabled. The udp packet is to red.metasploit.com. It is easy to see with a filter of 'udp'. http://metasploit.com/research/misc/decloak/ is his url (mentioned in a previous post). Hit that with JS enabled but java disabled to test. The more platforms + JVM combos we have the better our odds are of someone at firefox listening to us and fixing it promptly and correctly. It's possible the behavior of this 'security.enable_java' flag is OS+JVM dependent. I will do what I can, but I'm probably going to be pretty occupied for the next few days with other things. Also, as much as we have given him shit, HD Moore does deserve some thanks about providing an open example of all this for us to test. That is much better than the others who have studied this have done. (Though I do suspect he may in fact simply hate Tor, at least his security and research ethics are intact). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
Hello, I just subscribed to the or-talk list and would be happy to answer any questions related to the recent catching pedophiles article and the decloak test tool. I am in the process of updating the decloak demonstration to explain each of the tests and provide source code for the components. What may not be obvious (especially from the ZDNet article), is that I believe in the Tor project's goals and am not developing these types of tests to damage the project. I will not respond to any questions regarding the legallity of Tor traffic capture and manipulation. I believe this is still a gray area, since it depends on whether a Tor node qualifies as a service provider or meets the safe harbor requirements. I will not respond to questions about what, if any, Tor nodes I operate. I am able to answer any technical questions related to the research I have done (which includes generic content-detection and filtering, as well decloaking/deanonymization tests). Some quick URLs for anyone who needs them: Decloak: - http://metasploit.com/research/misc/decloak/ (this starts Java) Torment (outdated tor source + ruby patch): - http://metasploit.com/svn/torment/trunk/ -HD
Re: Warnings on the download page
On Thu, Mar 08, 2007 at 04:12:10PM -0600, H D Moore wrote: I am in the process of updating the decloak demonstration to explain each of the tests and provide source code for the components. What may not be obvious (especially from the ZDNet article), is that I believe in the Tor project's goals and am not developing these types of tests to damage the project. Hi HD, Thanks for joining the discussion, and welcome. We (the Tor developers) have been working mostly on making Tor itself work, and hoping that other people would step up to help us figure out how to safely configure the supporting applications (web browsers, etc). We could sure use some help. :) The current simplest advice I can give people is to remove all plugins: http://tor.eff.org/download.html.en#Warning Do you have any suggestions on safe ways to back off from that? Thanks, --Roger
Re: Warnings on the download page
Thanks for the feedback! Keep in mind this is the first applet I have ever written :-) Any information about the new API would be appreciated. Do you happen to know what versions it is compatible with? Bizzare that they would explicitly allow non-proxied connections. I used the Datagram Socket was so that I could send requests directly to the DNS server and not have to do any extra processing on the server side. The next version of decloak should be able to avoid Java/Javascript completely by loading up streaming media, PDFs, and so on within IFRAME tags inside the HTML. These media files would reference the magic DNS domain or custom services running on my server. An easy hack would be to stick a fake SMB service on the server and then embed UNC paths into the HTML. The tricky part is implementing enough of CIFS that I could extract a unique identifier from client's request. -HD On Thursday 08 March 2007 17:30, James Muir wrote: I discovered this back in January 2006 and wrote about it in a tech report. I can give you a pointer to the tech report if you are interested. I also have a demo which I will eventually post a URL for here once I clean it up a bit.
Re: Warnings on the download page
Thus spake H D Moore ([EMAIL PROTECTED]): Thanks for the feedback! Keep in mind this is the first applet I have ever written :-) Any information about the new API would be appreciated. Do you happen to know what versions it is compatible with? Bizzare that they would explicitly allow non-proxied connections. I used the Datagram Socket was so that I could send requests directly to the DNS server and not have to do any extra processing on the server side. Actually, I'm also curious about your on-the-fly applet tag generation. Were you aware that it would bypass that security.enable_java setting or was it just a general evasive thing you did for filtering? Do you have any information if this is specific to certain versions/JVMs or if it is a universal hack? Have you contacted the Firefox people? -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Thu, Mar 08, 2007 at 04:12:10PM -0600, H D Moore wrote: I am in the process of updating the decloak demonstration to explain each of the tests and provide source code for the components. What may not be obvious (especially from the ZDNet article), is that I believe in the Tor project's goals and am not developing these types of tests to damage the project. Hi HD, Thanks for joining the discussion, and welcome. We (the Tor developers) have been working mostly on making Tor itself work, and hoping that other people would step up to help us figure out how to safely configure the supporting applications (web browsers, etc). We could sure use some help. :) The current simplest advice I can give people is to remove all plugins: http://tor.eff.org/download.html.en#Warning Do you have any suggestions on safe ways to back off from that? I have a couple more points - the second browser phrase should link to http://portableapps.com/apps/internet/firefox_portable because otherwise it's not really easy to have a second firefox installed. I think we should also mention that we do scan the exits to try to verify they are behaving well, but we may miss some. While developing the next generation of my scanner I still do scan for matching MD5s inside/outside Tor from time to time, and the next generation scanning script itself will examine script+embedded tags to handle odd content/URLS in dynamic pages, but the main danger though is in people targeting small segments of the population that I do not speak the language of to issue queries for.. Tibetan sympathizers in China come to mind.. Well, pretty much everyone in China comes to mind, and I'm sure there are plenty of other marginal groups this applies to as well (other than child porn viewers). Scanning doesn't help Moore's point 3, but hopefully some statement of vigilance on our part will help Tor seem a little less like a perpetual connection through the wireless net at Defcon.. Though unfortunately that is the level of precaution Tor users should probably be ready to take. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Warnings on the download page
If there is a security manager, its checkConnect method is called with the proxy host address and port number as its arguments. This could result in a SecurityException. Just configure the security manager to prevent unproxyed connections. signature.asc Description: OpenPGP digital signature
Re: Warnings on the download page
On Thursday 08 March 2007 19:05, Mike Perry wrote: Actually, I'm also curious about your on-the-fly applet tag generation. Were you aware that it would bypass that security.enable_java setting or was it just a general evasive thing you did for filtering? Do you have any information if this is specific to certain versions/JVMs or if it is a universal hack? This wasn't meant to be evasive and does not bypass the enable java setting on my browser (latest firefox + sun-jre-1.6.0). The reason for generating the applet tag on the fly is to enable injection by embedding a script src= into an HTML response. Have you contacted the Firefox people? I didn't realize it was a vulnerability. I went to about:config, configured this setting to false, and the Java applet no longer loads on my system. What systems have you seen this fail on? -HD
Re: Warnings on the download page
Looks like the Practical Onion Hacking paper covered many features I was working on, as well as touching on the warez/movie/music leeches and the child pornography traffic. I should have released this back in August when I presented on it the first time :-) The big differences are: 1) They use iptables to modify and reinject traffic, I use an embedded Ruby interpreter in the Tor software. 2) They perform DNS tracking, but don't actually record or cross-reference the data. 3) They use Flash instead of Java to obtain the real external address of the user. Similarities include: 1) Web-bug injection via HTML response 2) DNS tracking via wildcard domain 3) Use of JS/Java bridge to get the internal address Seems like two big items I need to add to decloak are Flash and the shiny no-proxy Java connection mode (which seems to apply to TCP sockets only). -HD On Thursday 08 March 2007 19:02, James Muir wrote: You should read the Fort Consult White paper Practical Onion Hacking as some of things you mention (SMB, CIFS) are mentioned there, I think. VB and ActiveX are probably worth exploring.
Re: Warnings on the download page
Watson Ladd wrote: If there is a security manager, its checkConnect method is called with the proxy host address and port number as its arguments. This could result in a SecurityException. Just configure the security manager to prevent unproxyed connections. Even if all Java connections are proxied through Tor, it is still possible to read the end user's IP address locally and submit it to the server that originated the applet. Java, along with all other browser plugins, should be disabled. By the way, I just had another look at Roger and Mike's warning on the download page (it's now repositioned above the download links). I think it's very well done. Good work! -James
Re: Warnings on the download page
Flash is now supported: http://metasploit.com/research/misc/decloak/ -HD On Thursday 08 March 2007 20:33, H D Moore wrote: Seems like two big items I need to add to decloak are Flash and the shiny no-proxy Java connection mode (which seems to apply to TCP sockets only).
Re: Warnings on the download page
Thus spake Mike Perry ([EMAIL PROTECTED]): Thus spake Roger Dingledine ([EMAIL PROTECTED]): On Thu, Mar 08, 2007 at 04:12:10PM -0600, H D Moore wrote: I am in the process of updating the decloak demonstration to explain each of the tests and provide source code for the components. What may not be obvious (especially from the ZDNet article), is that I believe in the Tor project's goals and am not developing these types of tests to damage the project. Hi HD, Thanks for joining the discussion, and welcome. We (the Tor developers) have been working mostly on making Tor itself work, and hoping that other people would step up to help us figure out how to safely configure the supporting applications (web browsers, etc). We could sure use some help. :) The current simplest advice I can give people is to remove all plugins: http://tor.eff.org/download.html.en#Warning Do you have any suggestions on safe ways to back off from that? I have a couple more points - the second browser phrase should link to http://portableapps.com/apps/internet/firefox_portable because otherwise it's not really easy to have a second firefox installed. Actually, negative on this. Cookies, extensions, and bookmarks are not transfered over, but existing plugins from other firefox installs are still detected. We just can't seem to catch a break here.. There doesn't seem to be any way to disable plugins once you have installed them... The 'about:plugins' chart does have an Enabled column.. maybe burried somewhere is a way to disable them with extensions.. Does anyone know anything about wrting firefox extensions? How do I go about finding these plugin enabled properties, if they even exist outside the compiled code? -- Mike Perry Mad Computer Scientist fscked.org evil labs
