Chrome and Safari IP leak

Mike Perry mikeperry at fscked.org
Tue Dec 7 23:34:02 UTC 2010


Thus spake Roger Dingledine (arma at mit.edu):

> On Tue, Dec 07, 2010 at 11:12:37PM +0000, John Case wrote:
> > Wait, what about lynx ?  I can't be safe by running lynx inside of a jail 
> > with no routable IP ?  (10.10.10.10)
> 
> Sorry, I've been talking to too many ordinary users lately. :)
>
> I don't know of any problems with lynx. I think you'll still want to
> think about topics like cookies and whether your http headers make you
> recognizable. Take a look through
> https://www.torproject.org/torbutton/design/
> for more topics to think about. Web browsers like 'wget' should also be
> pretty safe in general. But somebody needs to analyze them in more detail.

Turns out that wget can be 302d between schemes to cause you to bypass
proxy settings. For example, if you have the $HTTP_PROXY environment
variable set but nothing for $HTTPS_PROXY, a 302 to an https url will
cause you to bypass proxy. I wouldn't be surprised if the same could
happen for an ftp url.

So the answer is "Just because you think your program is simple
doesn't mean it is. We haven't fully audited anything other than
Firefox, but we do know most of it isn't safe."

Robert Hogan *has* audited a few more apps, but only in conjuction
with his 'torsocks' utility: http://code.google.com/p/torsocks/

It looks like wget also has a note there about unsafe HTTP headers..
Not sure exactly what it is sending.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101207/23e9c358/attachment.pgp>


More information about the tor-talk mailing list