[tor-talk] Torifying Java and Flash

Random Tor User randomtoruser at hushmail.com
Tue Aug 28 20:51:27 UTC 2012


On 28. august 2012 at 4:14 PM, adrelanos  wrote:

    Random Tor User:
    > On 27. august 2012 at 1:21 PM, adrelanos wrote:Random Tor User:

    >
    > You should not use Firefox. Use Tor Browser. [1]
    >
    > Fixed. I have the Tor browser in the guest system pointing to
the
    > socks proxy running on the host system.
    >
    > How to you use Tor Browser without running Tor over Tor?
    >
    > What you basically need, is to use a similar concept like aos.
[2]
    >
    > Even if you can prevent IP and DNS leaks, Java and Flash can
leak
    > more information than that, such as your time zone and system
time.
    > [3]
    >
    > Nothing requires that the timezone and localization iof the
guest
    > corresponds to that of the host system. Am I correct that the
Tor
    > browser wont care about which timezone time, date or
localization
    > is present in the running system so long as it can establish a
    > socks connection. A socks connection is so far I know agnostic
to
    > this information. The only think which could happen in the worst
    > case would be the guest system's information leaking through the
    > Tor browser.

    Tor Browser does indeed not care, but flash does. Tor Browser does
not
    modify flash in any way. You are right, worst thing that may
happen is
    that flash can obtain timezone and system time, so be sure to
obscure it.

Well, I have set the timezone and system time in the guest to
something different from that of the host system.
Maybe we could even use  a small difference between host and guest
timezone and system time to make correlation more difficult.

For example, if my host time is 02:30 AM and my guest time is 03:30 AM
we could intentionally use this possibility to let leaky applications
send back false information through the socks proxy.
After all, if a leaky  application can be used by an adversary to
reveal something "real" about the running system, it should also be
possible to employ intentional leaks on the application and OS layer
as means to obscure the  running system.
And maybe, we could even change the Windows guest's IP address,
product ID, MAC address, user name and identity information in the
registry (HKEY_CURRENT_USERIdentities) and information stored in
%appdata% 
 to something different, so then an application by accident or
intention sends back too much information over Tor, the "leaked" info
only constitutes misdirection.

Hell, if I want to frame someone I don't like all I need is a leaky
application reading false information from the guest system (email
address, computer name, user name and software product keys from the
registry) and send it back over Tor to aa curious adversary.
Now, evil site.com can see that someone is using Tor, and the admin
may be bright enough to understand that the Tor user despite of
obscuring his IP anyway is leaking some personal info. And if the
personal info leaked by the application over socks is genuine, pitty
the user, but what if the info is intentionally deceptive.

    > Windows Update and other Microsoft services should not be able
to
    > "break out" of the guest system because the only network to
which
    > the guest has access is the host system.

    How do you get all the operating system updates?

I First install a "clean" Windows XP/7 with a self-generated product
key, random user information, and updates deployed over my own
hostonly network. I need not use Windows Update, since it's possible
to download and deploy all updates locally. 
The guest never has to know the internet exists. It is only permitted
to connect through the socks proxy.
All the updates and modifications can be performed prior to installing
the Tor socks proxy on the host system.

    > Who checked if Java or Flash do not use your MAC address to
    > correlate with your previous activities? Flash is a black box
and
    > Adobe is not known for putting much value into users privacy.
The
    > VM can see MAC address of your host. It's possible to prevent
this.
    > [4] My host system is not directly connected to the internet.
The
    > host system (computer) connects to a router. My ISP only "sees"
the
    > MAC address of my router.

    It's not about the ISP. There are applications, which do read the
MAC
    address of your computer. Some copyright protection tools and anti
    cheat tools do so.

And what if the MAC address is intentionally changed to that of my
neighbor sharing the same ISP, or harvested from mobile devices in the
area.
I mean the MAC of my host system, not the MAC of my router. 
The MAC will never "collide" with another's real MAC, because it's
never seen from the internet, only being readable from the registry.
    > Also forcing the whole system through a single Tor port opens up
    > for Identity correlation through circuit sharing. [5] Your
    > operating system update mechanism inside the VM might go through
    > the same Tor circuit including all the stuff flash already
    > reveals. Even in Windows, it's possible to disable all update
    > services. If the guest only participates in a hostonly network,
it
    > can't access external internet resources except through the
socks
    > proxy.

    So far so good. How do you install the updates then?

>From a network installation of the updates downloaded directly from
Microsoft's download centre. I may be wrong, but I think it's safe.

Of course, MS could watermark each downloaded KBxxxxxx file, but if
several people collaborate on the project, a simple binary file
compare would reveal any attempt to watermark the updates.
    Like I wrote in TorifyHOWTO [1], a wrapper (torsocks etc.) is just
a
    redirector, not a jail. You can't simply use a warpper to torify
Java
    / Flash. They are too complex.

    Inside a VM, well, the operating system does not know the real
    external IP address. What one does not know, can one not tell
anyone.

    Interesting idea. Good luck with it. We created leak tests [2] for
    aos, it can be useful for other projects as well. Some tools need
    alternative windows applications or just skip those tests.

    Since you are not using a transparent proxy, but host-only +
wrapper,
    most things transparent proxy leaks [3] probable do not apply.
Reading
    that page anyway can't hurt.

    I'd also ask coderman [4] for feedback on that setup.

    One more concern: you an only be anonymous within a big group of
    people. The amount of users who use Windows + Flash or Windows +
Java
    anonymously must be pretty low, since there are few discussions
about
    it and the setup is quite complicated. Also due to the browser
    fingerprinting stuff it's safe to assume you are only
pseudonymous,
    rather than anonymous.

I have experimented with browser fingerprinting and HTTP headers. I
know there is more to fingerprinting than HTTP headers, but my threat
model is really not an adversary capable of correlating all these
bits.
My scenario is modest, a forum or small social network with an admin
able enough to read Apache logs, understand and geolocate an IP and
maybe only maybe the logs generated by Java and Flash.
I know that Java and Flash aren't really safe for real anonymity,
hopefully Flash soon dies, but until then it's (unfortunately) still
used by some admins.



More information about the tor-talk mailing list