[tor-talk] Torifying Java and Flash

adrelanos adrelanos at riseup.net
Mon Aug 27 13:21:25 UTC 2012


Random Tor User:
[...]
> The guest VM is locked down and may only access the internet through
> the host system's Tor socks proxy on port 9050.

The lockdown part is too shortly described. How? Iptables?

> Is there any weakness in this setup?

Yes. Just a few things coming to my mind...

You should not use Firefox. Use Tor Browser. [1] How to you use Tor
Browser without running Tor over Tor?

What you basically need, is to use a similar concept like aos. [2]

Even if you can prevent IP and DNS leaks, Java and Flash can leak more
information than that, such as your time zone and system time. [3]

Who checked if Java or Flash do not use your MAC address to correlate
with your previous activities? Flash is a black box and Adobe is not
known for putting much value into users privacy. The VM can see MAC
address of your host. It's possible to prevent this. [4]

Apart from MAC address there are other caveat. Even the name of the user
account could be used for correlation.

Also forcing the whole system through a single Tor port opens up for
Identity correlation through circuit sharing. [5] Your operating system
update mechanism inside the VM might go through the same Tor circuit
including all the stuff flash already reveals.

It your guest operating system is Windows, it gets worse. They send a
Globally Unique Identifier (GUID) while updating. If you send it once in
the clear and once over Tor, mixed up with flash traffic... [6]

System time correlation is also at risk. [7]

[1]
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
[2] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX
[3]
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#BrowserPlugins
[4]
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aossProtocol-Leak-ProtectionandFingerprinting-Protection
[5]
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks
[7]
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aossSecureAndDistributedTimeSynchronizationMechanism


More information about the tor-talk mailing list