Yahoo Mail and Tor

Andrew Lewman andrew at torproject.org
Wed Jul 15 04:50:23 UTC 2009


On 07/09/2009 01:36 PM, Lee wrote:

>>> enable-remote-toggle  0
>>> enable-remote-http-toggle  0
>>> enable-edit-actions 0
>>> allow-cgi-request-crunching 0
>> I'm trying to find the email thread, but until then, even with these
>> set, it was demonstrated someone can manipulate your privoxy config by
>> making your tor client pass strings from localhost.

The best thread I can find on this topic is
http://archives.seul.org/or/talk/Nov-2007/msg00323.html

My memory of the details recalls that even with everything set to 0,
there was something that could enable the admin interface by referrer
spoofing, and then you've lost.

However, I can't find the details so, perhaps it's time to check out the
current versions of privoxy and re-evaluate.  I'd love to stop shipping
a powerpc-only privoxy with the osx bundles, at a minimum.

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identica/Twitter: torproject



More information about the tor-talk mailing list