[tor-bugs] #3455 [Firefox Patch Issues]: Tor Browser should set SOCKS username for a request based on first party domain

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 10 17:16:23 UTC 2014 

#3455: Tor Browser should set SOCKS username for a request based  on first party
domain
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  mikeperry
         Type:  enhancement          |     Status:  needs_information
     Priority:  major                |  Milestone:  TorBrowserBundle
    Component:  Firefox Patch        |  2.3.x-stable
  Issues                             |    Version:
   Resolution:                       |   Keywords:  tbb-linkability, tbb-
Actual Points:                       |  usability
       Points:                       |  Parent ID:  #5752
-------------------------------------+-------------------------------------

Comment (by anon):

 shit coderman says:
 "i don't like username+password for usability/interop reasons, and also
 the firefox upstream reason, and also the self evident auditability reason
 (i can easily see from lsof / netstat what socks ports in use, but i can't
 tell from established socks what username/auth was over it)"
 "if it is auto, you can skip the occupied attempts.  control port user
 knows where it opened"
 " as for usability/interop, there are command line and basic socket tools
 which can do basic SOCKS5 or 4a but not authentication to SOCKS  svr"
 [QUESTION] 'suppose you open a port, and now another app needs that port?'
 "the other app either fails gracefully like above (picking another avail
 port) or it errors out and you change your range to not collide. ports,
 the new IRQ numbers... ;)"


 possible solution:
 "if you wanted to be friendly, you would use named pipes for those who
 didn't want to use socks ports on auto. this would avoid any problems with
 port conflicts, and it would also provide (through sys internals) the same
 kind of visibility into who the sockspipe consumer was. so perhaps if
 socks ports are to be used, go the username/pass route.  and if isolation
 via pipes/sockets is desired, you can do that without username hack"

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3455#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list