[tor-talk] Firefox security bug (proxy-bypass) in current TBBs
unknown
unknown at pgpru.com
Fri May 4 18:50:30 UTC 2012
On Fri, 4 May 2012 07:27:35 +0200
"Fabio Pietrosanti (naif)" <lists at infosecurity.ch> wrote:
> > Any potential DNS-leakage can be prevented with iptables (Debian GNU/Linux way):
>
> Well, this can also be prevented if the "starter" of TBB would be a
> binary/executable rather than a shell script, and that binary executable
> would provide "LD_PRELOAD" tsocks like approach wrapping the connect().
>
> That way the entire TBB will run over the TBB_STARTER that will provide
> an "application-level" firewall that would prevent any kind of socket
> API to get-out directly.
>
> -naif
> _______________________________________________
An "application-level" firewall is an illusion of security. Procesess can be separated by owners
with users and groups but programs itself cannot be authenticated to iptables.
That's a reason to exclude an "application-level" firewall options --owner --cmd-owner <program-name>
from the kernel iptables modules.
Stronger way to manage network connections associated to programs is SELinux security contexts or
similar security modules. Even a path based ACLs and MACs such as AppArmor can be avoided and failed
and only strong security context isolation in SELinux is a right decision.
Or just simple use system groups with iptables: not so secure, not so strong.
More information about the tor-talk
mailing list