[tor-talk] Torifying Java and Flash

adrelanos adrelanos at riseup.net
Tue Aug 28 23:24:55 UTC 2012


Random Tor User:
> On 28. august 2012 at 4:14 PM, adrelanos  wrote:
> 
>     Random Tor User:
>     > On 27. august 2012 at 1:21 PM, adrelanos wrote:Random Tor User:
> 
>     >
>     > You should not use Firefox. Use Tor Browser. [1]
>     >
>     > Fixed. I have the Tor browser in the guest system pointing to
> the
>     > socks proxy running on the host system.
>     >
>     > How to you use Tor Browser without running Tor over Tor?
>     >
>     > What you basically need, is to use a similar concept like aos.
> [2]
>     >
>     > Even if you can prevent IP and DNS leaks, Java and Flash can
> leak
>     > more information than that, such as your time zone and system
> time.
>     > [3]
>     >
>     > Nothing requires that the timezone and localization iof the
> guest
>     > corresponds to that of the host system. Am I correct that the
> Tor
>     > browser wont care about which timezone time, date or
> localization
>     > is present in the running system so long as it can establish a
>     > socks connection. A socks connection is so far I know agnostic
> to
>     > this information. The only think which could happen in the worst
>     > case would be the guest system's information leaking through the
>     > Tor browser.
> 
>     Tor Browser does indeed not care, but flash does. Tor Browser does
> not
>     modify flash in any way. You are right, worst thing that may
> happen is
>     that flash can obtain timezone and system time, so be sure to
> obscure it.
> 
> Well, I have set the timezone and system time in the guest to
> something different from that of the host system.
> Maybe we could even use  a small difference between host and guest
> timezone and system time to make correlation more difficult.
> 
> For example, if my host time is 02:30 AM and my guest time is 03:30 AM
> we could intentionally use this possibility to let leaky applications
> send back false information through the socks proxy.
> After all, if a leaky  application can be used by an adversary to
> reveal something "real" about the running system, it should also be
> possible to employ intentional leaks on the application and OS layer
> as means to obscure the  running system.
> And maybe, we could even change the Windows guest's IP address,
> product ID, MAC address, user name and identity information in the
> registry (HKEY_CURRENT_USERIdentities) and information stored in
> %appdata% 
>  to something different, so then an application by accident or
> intention sends back too much information over Tor, the "leaked" info
> only constitutes misdirection.

Theoretically possible, but Windows is a black box. It's not documented
what sends traffic where, which kind of information is transmitted and
how to spoof it. See the transparent proxy leak page, if you can
complete it with sources/proofs, great!

> Hell, if I want to frame someone I don't like all I need is a leaky
> application reading false information from the guest system (email
> address, computer name, user name and software product keys from the
> registry) and send it back over Tor to aa curious adversary.
> Now, evil site.com can see that someone is using Tor, and the admin
> may be bright enough to understand that the Tor user despite of
> obscuring his IP anyway is leaking some personal info. And if the
> personal info leaked by the application over socks is genuine, pitty
> the user, but what if the info is intentionally deceptive.

Possibly.

>     > Windows Update and other Microsoft services should not be able
> to
>     > "break out" of the guest system because the only network to
> which
>     > the guest has access is the host system.
> 
>     How do you get all the operating system updates?
> 
> I First install a "clean" Windows XP/7 with a self-generated product
> key, random user information, and updates deployed over my own
> hostonly network.

Like said, I don't know which other information it uses and transmits.

> I need not use Windows Update, since it's possible
> to download and deploy all updates locally. 

Good.

> The guest never has to know the internet exists. It is only permitted
> to connect through the socks proxy.
> All the updates and modifications can be performed prior to installing
> the Tor socks proxy on the host system.

Ok.

>     > Who checked if Java or Flash do not use your MAC address to
>     > correlate with your previous activities? Flash is a black box
> and
>     > Adobe is not known for putting much value into users privacy.
> The
>     > VM can see MAC address of your host. It's possible to prevent
> this.
>     > [4] My host system is not directly connected to the internet.
> The
>     > host system (computer) connects to a router. My ISP only "sees"
> the
>     > MAC address of my router.
> 
>     It's not about the ISP. There are applications, which do read the
> MAC
>     address of your computer. Some copyright protection tools and anti
>     cheat tools do so.
> 
> And what if the MAC address is intentionally changed to that of my
> neighbor sharing the same ISP, or harvested from mobile devices in the
> area.
> I mean the MAC of my host system, not the MAC of my router. 
> The MAC will never "collide" with another's real MAC, because it's
> never seen from the internet, only being readable from the registry.

I wouldn't use some in your area but ok.

>     > Also forcing the whole system through a single Tor port opens up
>     > for Identity correlation through circuit sharing. [5] Your
>     > operating system update mechanism inside the VM might go through
>     > the same Tor circuit including all the stuff flash already
>     > reveals. Even in Windows, it's possible to disable all update
>     > services. If the guest only participates in a hostonly network,
> it
>     > can't access external internet resources except through the
> socks
>     > proxy.
> 
>     So far so good. How do you install the updates then?
> 
>>From a network installation of the updates downloaded directly from
> Microsoft's download centre. I may be wrong, but I think it's safe.

No answer, dunno.

> Of course, MS could watermark each downloaded KBxxxxxx file, but if
> several people collaborate on the project, a simple binary file
> compare would reveal any attempt to watermark the updates.
>     Like I wrote in TorifyHOWTO [1], a wrapper (torsocks etc.) is just
> a
>     redirector, not a jail. You can't simply use a warpper to torify
> Java
>     / Flash. They are too complex.
> 
>     Inside a VM, well, the operating system does not know the real
>     external IP address. What one does not know, can one not tell
> anyone.
> 
>     Interesting idea. Good luck with it. We created leak tests [2] for
>     aos, it can be useful for other projects as well. Some tools need
>     alternative windows applications or just skip those tests.
> 
>     Since you are not using a transparent proxy, but host-only +
> wrapper,
>     most things transparent proxy leaks [3] probable do not apply.
> Reading
>     that page anyway can't hurt.
> 
>     I'd also ask coderman [4] for feedback on that setup.
> 
>     One more concern: you an only be anonymous within a big group of
>     people. The amount of users who use Windows + Flash or Windows +
> Java
>     anonymously must be pretty low, since there are few discussions
> about
>     it and the setup is quite complicated. Also due to the browser
>     fingerprinting stuff it's safe to assume you are only
> pseudonymous,
>     rather than anonymous.
> 
> I have experimented with browser fingerprinting and HTTP headers. I
> know there is more to fingerprinting than HTTP headers, but my threat
> model is really not an adversary capable of correlating all these
> bits.
> My scenario is modest, a forum or small social network with an admin
> able enough to read Apache logs, understand and geolocate an IP and
> maybe only maybe the logs generated by Java and Flash.
> I know that Java and Flash aren't really safe for real anonymity,
> hopefully Flash soon dies, but until then it's (unfortunately) still
> used by some admins.

For that threat model it sounds sufficient.


More information about the tor-talk mailing list