[tor-talk] Firefox security bug (proxy-bypass) in current TBBs
unknown
unknown at pgpru.com
Thu May 3 17:26:05 UTC 2012
On Wed, 2 May 2012 22:43:52 +0000
Robert Ransom <rransom.8774 at gmail.com> wrote:
> See https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
> for the security advisory.
>
>
> Robert Ransom
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Any potential DNS-leakage can be prevented with iptables (Debian GNU/Linux way):
Edit /etc/login.defs, Replace "ENCRYPT_METHOD DES" to "ENCRYPT_METHOD SHA-512"
Run command for create tbb-group with password:
addgroup --system tbb-tor
Add this rules to your firewall:
########
#tor anonymous users;
DIRECT_OUT_GID="tbb-tor" #group id for TBB
TOR_UID="debian-tor" #system tor (if you use it)
#anonymous user runs programs with transparent torification to system tor
#(if you use it):
$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymoususer ! --gid-owner $DIRECT_OUT_GID -m tcp --syn -j REDIRECT --to-ports 9040
$IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner anonymoususer ! --gid-owner $DIRECT_OUT_GID -m udp --dport 53 -j REDIRECT --to-ports 53
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner anonymoususer ! --gid-owner $DIRECT_OUT_GID -j DNAT --to-destination 127.0.0.1
#Accept output for system-tor itself (if you use it)
$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
#Direct output for TBB without udp and tcp 53 port
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID ! -p tcp -j REJECT
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID -p tcp --dport 53 -j
REJECT
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID -j ACCEPT
########
Run your tor-browser with sg from x-terminal emulator:
sg tbb-tor -c start-tor-browser.sh
Unfortunately, this is not an ideal solution for transparent torification TBB. All (but udp and dns-tcp) tcp trafic goes away. Using unix groups is not a way to separate start-script, vidalia, browser and TBB-tor itself. A more fine-tuned firewall solution is still desirable
More information about the tor-talk
mailing list