[tor-talk] Torifying Java and Flash

Random Tor User randomtoruser at hushmail.com
Tue Aug 28 13:07:01 UTC 2012


On 27. august 2012 at 1:21 PM, adrelanos  wrote:Random Tor User:
[...]
> The guest VM is locked down and may only access the internet through
> the host system's Tor socks proxy on port 9050.

The lockdown part is too shortly described. How? Iptables?

No, until now I have just set up an alternative Windows as a VMware
guest.

The VMware network is configured as hostonly which means that the
guest can only connect to the host's IP address.

> Is there any weakness in this setup?

Yes. Just a few things coming to my mind...

You should not use Firefox. Use Tor Browser. [1] 

Fixed. I have the Tor browser in the guest system pointing to the
socks proxy running on the host system.

How to you use Tor
Browser without running Tor over Tor?

What you basically need, is to use a similar concept like aos. [2]

Even if you can prevent IP and DNS leaks, Java and Flash can leak more
information than that, such as your time zone and system time. [3]

Nothing requires that the timezone and localization iof the guest
corresponds to that of the host system.
Am I correct that the Tor browser wont care about which timezone time,
date or localization is present in the running system so long as it
can establish a socks connection.
A socks connection is so far I know agnostic to this information. The
only think which could happen in the worst case would be the guest
system's information leaking through the Tor browser.
Windows Update and other Microsoft services should not be able to
"break out" of the guest system because the only network to which the
guest has access is the host system.
Who checked if Java or Flash do not use your MAC address to correlate
with your previous activities? Flash is a black box and Adobe is not
known for putting much value into users privacy. The VM can see MAC
address of your host. It's possible to prevent this. [4]
My host system is not directly connected to the internet. The host
system (computer) connects to a router. My ISP only "sees" the MAC
address of my router.
QAnd even so, I often swap/randomize the host system's MAC and
computer name when I use the computer to connect away from home.
Apart from MAC address there are other caveat. Even the name of the
user
account could be used for correlation.
What if I write a VBS script to randomize tall this information?
Everytime the guest starts up, all sensitive information is
randomized. And the host is a bear metal machine only used for hosting
my Tor socks proxy. 
Also forcing the whole system through a single Tor port opens up for
Identity correlation through circuit sharing. [5] Your operating
system
update mechanism inside the VM might go through the same Tor circuit
including all the stuff flash already reveals.
Even in Windows, it's possible to disable all update services. If the
guest  only participates in a hostonly network, it can't access
external internet resources except through the socks proxy.
Of course the host system is different, but what I am interested in is
hiding what I am doing inside the guest. I don't care about people
knowing I runs Tor as socks proxy.
I don't intend to host hidden services, so the time window for attacks
should be very shortlived.
My only goal is being able to torify Flash and Java for browsing.
So mwhat I don't know is whether the JonDoNym guide to proxifying
Flash and Java is secure enought for browsing.



More information about the tor-talk mailing list