FF plugins DNS leaks

James Muir jamuir at scs.carleton.ca
Tue Jun 19 15:35:58 UTC 2007


Marc Stossel wrote:
> This is horrible! I just found wireshark and it is GeoIP.Info
> location! The packets showed the contents of my request, even when it
> has gone through tor and the source and destination were all correct.
> 
> I cannot tell about netcrafttoolbar, nor about showip. Still learning
> to use wireshark. Do these two also leak dns?

hi Marc,

the warning on the download page at tor.eff.org states the dangers of 
toolbars in firefox and other browsers 
(http://tor.eff.org/download.html.en).  You might consider following the 
advice there about using a stripped down browser to surf the web with 
Tor (e.g. install a new copy of firefox, separate from the firefox you 
use for non-anonymized browsing).  You could also try one of the live 
Tor distributions mentioned on the list.

If you could report your findings about which of your toolbars leak your 
IP address based on WireShark traffic captures, then I'm sure that would 
be helpful to some of the readers here.

To answer your initial question about why Tor isn't giving you a warning 
about the identifying traffic leaving your computer, the answer is that 
Tor can't warn you about traffic it doesn't handle.  The traffic 
generated by your toolbars isn't being proxied by Tor, so it won't warn 
you about it.  I don't use Vidalia, but I think I recall that Vidalia 
does a number of geoip queries which are not proxied.  This does not 
necessarily violate Tor's security model, however.  Remember, Tor is not 
designed to hide the fact that you're using Tor.  It's designed to 
provide unlinkable communications.

-James



More information about the tor-talk mailing list