Nick Mathewson nickm at freehaven.net
Mon Aug 9 19:12:02 UTC 2004

[Message reformatted; top-posting hurts my brain]

On Mon, Aug 09, 2004 at 08:22:12AM -0400, Patrick McFarland wrote:
> On Mon, 9 Aug 2004 04:34:27 -0400, Nick Mathewson <nickm at freehaven.net> wrote:
> > I believe that this only happens when you are using Tor as a socks
> > proxy from Mozilla directly.  But you shouldn't do that; you lose
> > anonymity when your own host connects to the DNS server!  You should
> > use privoxy as a HTTP proxy instead; see doc/CLIENTS in the Tor
> > distribution for more information about why and how.
> Privoxy doesn't support ipv6, however.

For the use case we're talking about, privoxy doesn't *need* IPv6.
Here's what's going on.  (At least, here's what I *think* is going on;
I don't have a copy of Opera to test against.)

The original poster is (it seems) using Tor as a SOCKS 5 proxy from
his browser.  When he goes to a dual IPv4/v6 site, these steps occur:
    1. The web browser does a DNS lookup for the site's hostname.

       (As soon as this happens, the user's anonymity is lost: the DNS
       request has gone over the network in the clear, and any
       eavesdropper can tell that the user is interested in connecting
       to the target host.)

    2. The web browser gets some A records (IPv4) and some AAAA
       records (IPv6) back.

    3. The web browser decides that it likes v6 better than v4, and
       tells Tor, via SOCKS, "please connect to this IPv6 address."
       Tor doesn't do IPv6, and gives up.

Even though privoxy doesn't support IPv6, it will still work fine in
this case.  When Privoxy is set up as your HTTP proxy, and is set to
forward request to Tor via socks4a, here's what happens:

    1. The web browser sends an HTTP request to privoxy.  This request
       includes the hostname of the target webserver, so no DNS
       resolution has taken place.

    2. Privoxy sends a SOCKS 4A request to Tor.  Again, this request
       includes the hostname of the target websserver, so no DNS
       resolution has taken place.

    3. Your local Tor process transmits the request, along an
       encrypted multi-server circuit, to a different Tor server,
       which resolves the hostname for you, and connects to any IPv4
       address it finds (since Tor doesn't support IPv6 now).

So in this case, you get two good things and a workaround:
   Good thing 1: You aren't blowing your anonymity by doing the DNS
       resolve yourself.

   Good thing 2: Privoxy cleans identifying information from your HTTP
       request, which Tor does not do itself.

   Workaround: Because the DNS resolve is happening from within a
       remote Tor process that ignores IPv6 addresses, it won't get
       confused by having both AAAA records and A records for a single

I hope this explained why using an HTTP proxy is important
_independently_ from IPv6/v4 issues; and why it is a good workaround
for those too.

Nick Mathewson
(PGP key will change on 15Aug2004; see http://wangafu.net/key.txt)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20040809/045f1b78/attachment.pgp>

More information about the tor-dev mailing list