Firefox IPv6 Anonymity bypass NOT A BUG

Sat Oct 27 16:58:30 UTC 2007

Thanks for the clarification. It's much easier to understand now.
Comrade Ringo Kamens

On 10/26/07, Nick 'Zaf' Clifford <zaf at nrc.co.nz> wrote:
> Nick 'Zaf' Clifford wrote:
> > Hey ya,
> >
> > Just noticed one small problem with Tor + Firefox + IPv6.
> > I'm aware that Tor doesn't yet support IPv6, but I found an interesting
> > development with respect to a system that has IPv6 configured and working.
> >
> >
> Embarrassing confession time:
> When I first noticed this "bug", I didn't realize I'd set a proxy bypass
> for .nrc.co.nz (my local domain) a long time ago when doing other proxy
> testing. This meant when I went to a .nrc.co.nz address, it did so
> directly, bypassing any proxy.
>
> When I eventually started playing with Tor, I had forgotten about that
> setting (and use TorButton so never even looked at the proxy settings of
> Firefox).
> The end result was that I went to a local system, it bypassed Tor (as
> I'd asked it to do).
>
> All of my systems here have IPv6 (and some of them don't have IPv4), so
> when I saw that I was able to connect to my internal network systems,
> supposedly via tor (having forgotten that I'd set that proxy bypass ages
> ago), I became suspicious, and looked at the system logs, saw my own
> IPv6 address, and went "Ah ha!". That lead to the above bug report.
>
> The questions you have all raised in response to my report (with
> reference to it being network.dns.IPv6, and asking if it still disabled
> numerical addresses), prompted me to do further testing, where I found
> conflicting results, that lead me to notice the .nrc.co.nz proxy bypass.
>
> So, after doing more testing, the results are:
> If you set up Firefox to use Privoxy and Tor, All requests go to Privoxy
> (this is obvious if you think about it, because otherwise Firefox would
> have to do DNS lookups on hostnames to notice they are IPv6, which would
> be a big huge leak).
> Privoxy takes the hostname, and does an IPv4 lookup (eg it doesn't
> support v6), so feeds the request through Tor as expected and desired.
> To round out the testing, and provide answers to all:
> If you give privoxy an IPv6 numerical address, eg:
> http://[2002:xxxxx:1]/, privoxy fails to recognise the address at all as
> being an IPv6 address, and therefore fails gracefully:
> Your request for http://[2002:xxxx:1]/ could not be fulfilled, because
> the domain name *[2002* could not be resolved.
>
> This is fine, and therefore I respectfully withdraw by bug report, and
> apologize to the Firefox developers, as I commented that it was probably
> a bug in Firefox.
>
> I'd also like to thank all of you on the mailing list who immediately
> recognized what this may have been (had it been accurate) and
> acknowledged my find and started fixing your own systems.
>
> So to everyone, stand down, not a bug, the problem was a PEBKAC (Problem
> Exists Between Keyboard And Chair)
> Thanks,
> Nick Clifford
>
>