Set up a webproxy to TOR - tor-proxy.net

[Kyle Williams]

Neat site.

Not to rain on the parade, but I'm concerned about side-channel attacks with
this site.
Let me clarify a bit.

It's nice knowing that this site is using HTTPS.  Good.
But when a URL is visited that requires a third party application to watch
it (specifically multimedia content) such as Windows Media or Real Player,
then the users anonymity could be compromised.

I entered the following URL as an example:
http://ra.yle.fi/ramgen/aktualiteter/spotlight/spotlightdebatt_2005_06_07.rm?rpurl=http://www.ipnow.org/images/iprand.jpg&start=00:00:00&end=00:00:01

(The result in this example shows your true IP address in RealPlayer. I have
no idea what this video is about, I just used google to find one for this
example.)
This uses the web browser in RealPlayer (which is just IE hooked in with a
skin around it) and doesn't use the proxy settings from Firefox.
There are a few different applications which make their own connection to
the Internet without using a proxy.

So my question is, could you give users the option to only visit safe
content (.html .htm .jpg .gif .css)?
Could you put up a warning page when they do visit link to a non-html
related page to inform the user that this *might* be dangerous to their
anonymity?

I think this would be a step in the right direction in terms of security of
the users anonymity.  Lots of users who want anonymity do not fully
understand how all the applications on their system work, which could result
in a user following a link to a bad file that could compromise their real IP
address through an application that isn't there browser.

Don't forget about evil Tor exits too, someone could inject traffic into
what would normally be a safe page. ;)

best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20071009/f7308c1c/attachment.htm>