Firefox IPv6 Anonymity bypass NOT A BUG

Nick 'Zaf' Clifford zaf at nrc.co.nz
Sat Oct 27 00:18:11 UTC 2007


Nick 'Zaf' Clifford wrote:
> Hey ya,
>
> Just noticed one small problem with Tor + Firefox + IPv6.
> I'm aware that Tor doesn't yet support IPv6, but I found an interesting
> development with respect to a system that has IPv6 configured and working.
>
>   
Embarrassing confession time:
When I first noticed this "bug", I didn't realize I'd set a proxy bypass
for .nrc.co.nz (my local domain) a long time ago when doing other proxy
testing. This meant when I went to a .nrc.co.nz address, it did so
directly, bypassing any proxy.

When I eventually started playing with Tor, I had forgotten about that
setting (and use TorButton so never even looked at the proxy settings of
Firefox).
The end result was that I went to a local system, it bypassed Tor (as
I'd asked it to do).
 
All of my systems here have IPv6 (and some of them don't have IPv4), so
when I saw that I was able to connect to my internal network systems,
supposedly via tor (having forgotten that I'd set that proxy bypass ages
ago), I became suspicious, and looked at the system logs, saw my own
IPv6 address, and went "Ah ha!". That lead to the above bug report.

The questions you have all raised in response to my report (with
reference to it being network.dns.IPv6, and asking if it still disabled
numerical addresses), prompted me to do further testing, where I found
conflicting results, that lead me to notice the .nrc.co.nz proxy bypass.

So, after doing more testing, the results are:
If you set up Firefox to use Privoxy and Tor, All requests go to Privoxy
(this is obvious if you think about it, because otherwise Firefox would
have to do DNS lookups on hostnames to notice they are IPv6, which would
be a big huge leak).
Privoxy takes the hostname, and does an IPv4 lookup (eg it doesn't
support v6), so feeds the request through Tor as expected and desired.
To round out the testing, and provide answers to all:
If you give privoxy an IPv6 numerical address, eg:
http://[2002:xxxxx:1]/, privoxy fails to recognise the address at all as
being an IPv6 address, and therefore fails gracefully:
Your request for http://[2002:xxxx:1]/ could not be fulfilled, because
the domain name *[2002* could not be resolved.

This is fine, and therefore I respectfully withdraw by bug report, and
apologize to the Firefox developers, as I commented that it was probably
a bug in Firefox.

I'd also like to thank all of you on the mailing list who immediately
recognized what this may have been (had it been accurate) and
acknowledged my find and started fixing your own systems.

So to everyone, stand down, not a bug, the problem was a PEBKAC (Problem
Exists Between Keyboard And Chair)
Thanks,
Nick Clifford



More information about the tor-talk mailing list