[tor-talk] Tor Browser without Tor
Roger Dingledine
arma at torproject.org
Mon Feb 3 10:38:10 UTC 2020
On Sun, Feb 02, 2020 at 01:16:24PM +0100, Jason Evans wrote:
> A similar question that was asked recently is, "how can I connect to local
> IPs with the Tor Browser?". For example, my home SAN is on 192.168.1.X and
> it's not reachable with the Tor Browser.
>[...]
> Firefox still has an "No proxy for"
> section on its proxy page. However Tor Browser no longer has that section. Do
> you know of any way to use that functionality or is that just gone now?
You should really avoid making exceptions to the proxy rules for Tor
Browser. If you let your browser connect to local services, that opens
the door for remote websites, which you access over Tor, to give you
instructions (e.g. via javascript, but not only via javascript) to make
local connections and then send that info back to the website.
In the most benign case, you're setting yourself up with a tracking marker
("there's that weird person who allowed connections to 192.168.1.1
again"). In worse cases, you're opening yourself up to permissions
surprises and attacks that start with the word "cross-site" or
"cross-protocol".
For an early example of a similar bug that bit Tor users, see
https://lists.torproject.org/pipermail/tor-announce/2007-September/000078.html
All of that said, if you still want to shoot your feet off: in
about:config, there's a network.proxy.no_proxies_on option that you
can set.
For even more details, new in ESR68, there is now a
network.proxy.allow_hijacking_localhost option, which we needed to fix
for Tor Browser:
https://bugs.torproject.org/31065
Good luck!
--Roger
More information about the tor-talk
mailing list