[tor-talk] question about socks 4, 5
Joe Btfsplk
joebtfsplk at gmx.com
Sat Sep 24 14:59:22 UTC 2011
On 9/24/2011 4:16 AM, Fabian Keil wrote:
> Joe Btfsplk<joebtfsplk at gmx.com> wrote:
>
>> was playing w/ latest TBB& seeing how other apps (like email - Tbird,
>> or other apps) behaved, just to experiment.
>>
>> 1) Question about changes in proxy settings of late(er) TBB (Aurora - FF
>> 6) use. Notice that ONLY things filled in on network> settings page is:
>> - Manual Proxy Config is checked,
>>
>> - under SOCKS host, 127.0.0.1 is used, and PORT 9050 used.
>> - SOCKS 5 is checked.
>>
>> Obviously, changes from past Tor. I saw msgs in TBB / Vidalia log
>> (which unfortunately, I didn't figure out how to save - it's gone once
> I never used TBB, but the "Vidalia log" in vanilla Vidalia is basically
> a Tor log, so if you configure Tor to additionally log to a file, the log
> messages should survive the Vidalia shutdown.
>
>> TBB shuts down), to effect of (pardon my poor memory): "An (or some)
>> applic. is trying to do.... on SOCKS 5... which ~ may compromise
>> anonymity... "Consider using SOCKS 4 instead, ... or use Polipo
>> (Privoxy?)"
> You are probably referring to:
> Sep 21 22:43:31.377 [warn] {APP} Your application (using socks5 to port 80) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.
>
> The important part is "giving Tor only an IP address",
> you can get the same message for SOCKS4.
>
> The URL should probably be fixed, but I'm not sure if the
> original content still exists somewhere.
>
>> Question isn't about ONE app, but in general. If trying to torrify
>> other apps, how do you know (now) WHICH settings to use in connection
>> settings for that app(s)?
>> HTTP, SSL, SOCKS 4 / 5? Or some combo of one or more of these settings
>> & which Proxy or Port for each?
> Simplifying things a bit, SOCKS 4 and 5 both have two "flavours",
> one where the client itself resolves the addresses (potentially
> "leaking" DNS requests) and one where it doesn't have to (but still
> could).
>
> Tor users usually want to use the ones where the client doesn't have
> to resolve addresses and naturally they want to use clients that don't
> resolve anything anyway.
>
> In case of SOCKS4 that flavour is called SOCKS4A, in case of SOCKS5
> it's often called "SOCKS5 with hostnames", but many applications only
> support one SOCKS5 flavour and you may have to check the documentation
> to figure out which one it is.
>
> For example Privoxy only supports the "SOCKS5 with hostnames"
> flavour but simply refers to it as SOCKS5 in the configuration
> files. The documentation should make it clear, though:
> http://www.privoxy.org/user-manual/config.html#SOCKS
>
> The same is true for Polipo:
> http://www.pps.jussieu.fr/~jch/software/polipo/polipo.html#SOCKS-parent-proxies
>
> curl supports both, and the switches are --socks5
> and --socks5-hostname, so in this case most Tor users
> would want the latter.
>
> If an application has properly working SOCKS support
> there usually isn't any need to additionally configure
> a HTTP proxy unless the proxy itself does something
> you consider useful.
>
> If a client supports both SOCKS4A and "SOCK5 with hostnames"
> it's usually preferable to use the latter as it supports more
> detailed error codes. It's up to the client to do something
> useful with them, though.
>
>> By that, mean by CURRENT ways that Tor / TBB work, not outdated help /
>> FAQ articles (sorry). Some help files& articles are out of date& no
>> longer apply for some settings.
>> Could be wrong, but don't think instructions on
>> https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail
>> have changed in * long * time.
> There seems to be some history available:
> https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail?action=history
>
>> Have to say, Tbird instructions on above link could be a * LOT *
>> clearer. I'm a technical person (not a coder)& have a hard time
>> following it all. Definitely not written for avg users:
> I agree. It's also not clear if they are sufficient.
> It's my impression that they may not cover everything,
> but as I don't use Thunderbird I could be wrong.
>
Thanks for detailed reply. It answered some questions, but I think for
most users (perhaps technical, but not *extremely* advanced), it raises
just as many more. I'm glad I don't live in Pakistan.
1) Most apps I've looked at w/ ability to select connection mode don't
specify SOCKS 4 / 4a, or 5 / "5 w/ hostnames." MAYBE info could be
found from developer or forums. Like you said,
"For example Privoxy only supports the "SOCKS5 with hostnames" flavour but simply refers to it as SOCKS5"
Even Tbird 6 doesn't specify anything except simply SOCKS 4 / 5.
2) If using Tor / Vidalia / Polipo bundle, & it's enabled, AND
applications are config'd to use the port that Polipo uses, aren't the
applications using the correct SOCKS type & port #, to prevent DNS
leaks, or do many apps just ignore the Polipo settings?
I suppose ? if apps don't support SOCKS 4a / 5 w/ hostnames, they'll
just do what ever they're able & doesn't really matter if using Polipo &
app is config'd to use same proxy / port?
Info on this general issue is scattered out like debris field of a
crashing space shuttle. It appears that "torrifying non browser apps"
isn't a big concern for Tor developers, because instructions to do so &
how (or even if) can be verified are far beyond avg users' ability. Not
a criticism - just observation. The FAQ quoted below illustrates the
point - not enough details for most users & incomplete. * Most Tor
users are probably somewhat above avg, anyway, but do we really think
the instructions below are sufficient for avg Tor users? *
From the FAQ: "I keep seeing these warnings about SOCKS and DNS and
information leaks. Should I worry?"*
[IMHO, these instructions fall into the category, "A little knowledge is
a dangerous thing." Besides, no where near complete enough for avg -
sl. above avg users to torrify apps safely]
"Where SOCKS comes in.* Your application uses the SOCKS protocol to
connect to your local Tor client. There are 3 versions of SOCKS you are
likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5
(which usually uses IP addresses in practice), and SOCKS 4a (which uses
hostnames).
When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP address,
Tor guesses that it 'probably' got the IP address non-anonymously from a
DNS server. That's why it gives you a warning message: you probably
aren't as anonymous as you think.
*So what can I do?* We describe a few solutions below.
* If your application speaks SOCKS 4a, use it. [caveat: most apps
don't say 4 / 4a, etc.]
* For HTTP (web browsing), either configure your browser to perform
remote DNS lookups (see the Torify HOWTO
<https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> how
to do this for some versions of Firefox) ** or use a socks4a-capable
HTTP proxy, such as Polipo.** [again, from your comment & what I
gather, using this may mean nothing] See the Tor documentation for
more information. For instant messaging or IRC, use Gaim or XChat.
For other programs, consider using freecap (on Win32) or dsocks (on
BSD).
* If you only need one or two hosts, or you are good at programming,
you may be able to get a socks-based port-forwarder like socatg to
work for you; see the Torify HOWTO
<https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> for
examples.
* Tor ships with a program called tor-resolveg that can use the Tor
network to look up hostnames remotely; if you resolve hostnames to
IPs with tor-resolve, then pass the IPs to your applications, you'll
be fine. (Tor will still give the warning, but now you know what it
means.) [and instructions for config'g apps to use tor-resolve are
where?]
* You can use TorDNS as a local DNS server to rectify the DNS leakage.
See the Torify HOWTO
<https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> for
info on how to run particular applications anonymously.
If you think that you applied one of the solutions properly but still
experience DNS leaks please verify there is no third-party application
using DNS independently of Tor. Please see the FAQ entry on whether
you're really absolutely anonymous using Tor
<https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#SoImtotallyanonymousifIuseTor>
for some examples.
How do I check if my application
<https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#SocksandDNS>
that uses SOCKS is leaking DNS requests?
These are two steps you need to take here. The first is to make sure
that it's using the correct variant of the SOCKS protocol, and the
second is to make sure that there aren't other leaks.
Step one: add "TestgSocks 1" to your torrc
<https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#torrc> file,
and then watch your logs as you use your application. Tor will then log,
for each SOCKS connection, whether it was using a 'good' variant or a
'bad' one. (If you want to automatically disable all 'bad' variants, set
"SafeSocks 1" in your torrc file.)
Step two: even if your application is using the correct variant of the
SOCKS protocol, there is still a risk that it could be leaking DNS
queries. This problem happens most commonly in Firefox extensions that
resolve the destination hostname themselves?, for example to show you
its IP address, what country it's in, etc. These applications may use a
safe SOCKS variant when actually making connections, but they still do
DNS resolves locally. If you suspect your application might behave like
this, you should use a network sniffer like Wireshark and look for
suspicious outbound DNS requests. I'm afraid the details of how to look
for these problems are beyond the scope of a FAQ entry though * [& those
details are where?] * -- * find a friend to help * if you have problems
[LOL]."
More information about the tor-talk
mailing list