[tor-talk] wget - secure?

Robert Ransom rransom.8774 at gmail.com
Fri Apr 20 14:15:54 UTC 2012

On 2012-04-18, Joseph Lorenzo Hall <joehall at gmail.com> wrote:

> The underlying point is that it would be neat if
> you've done a comprehensive analysis of a specific version of Tor,
> etc., etc.

No, the underlying point is that I have personally seen wget send my
computer's IP address over Tor in an FTP PORT command.  wget is not
‘100% safe’.

The code to send a PORT command is still present in wget 1.13.4.  wget
1.13.4 is not ‘100% safe’; anyone who wants to recommend it needs to
specify a particular configuration of wget which is safe.  (Don't
count on a ‘default configuration’; Linux distributors might have
messed with it, or failed to update it to the version shipped in
recent wget source distributions.)

And that's not even the potential information leak that folks who are
familiar with ‘anonymous FTP’ would check for first.

Robert Ransom

More information about the tor-talk mailing list