[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: privoxy (was Re: ipv6)



On Mon, 9 Aug 2004 15:57:41 +0200, Eugen Leitl <eugen@leitl.org> wrote:
> On Mon, Aug 09, 2004 at 09:19:35AM -0400, Patrick McFarland wrote:
> > On Mon, 9 Aug 2004 14:47:00 +0200, Eugen Leitl <eugen@leitl.org> wrote:
> > > Speaking of privoxy, is running an open one (0.0.0.0) a security/abuse issue?
> > > I.e., can it get my IP blacklisted?
> >
> > Its a security issue. Though, I've assumed you turned off remote
> > access features, and it's pointed at tor, so I'm not sure how big of a
> 
> Thanks for pointing out that remote access can be turned off. Switched off now.
> Privoxy is pointed at tor indeed.

Remember that theres two remote options: enable-remote-toggle and
enable-edit-actions. Also, iirc. you can change what it points to
through the web interface, so I'd double check to see if its still
pointed at tor.
 
> Is there a way to authenticate privoxy access? (I don't have IPsec up yet).
> Another question: is it possible to wrap sessions to privoxy in SSL? Is
> Stunnel the way to go?

http proxies work by having the browser go "GET
http://someremoteurl.com/"; like browsers usually do with web servers.
The http proxy then does the request on behalf of the browser, and the
web server returns data to the proxy, then the proxy returns the data
to the browser.

The way this works, the http proxy is almost transparent, and you
can't add anything the browser wouldnt already be doing.  Stunnel
doesn't look useful for this either.

> > security issue it is. Its something I wouldn't do.
> 
> Do you have a specific threat model in mind, or is this the classical
> "minimize the number of unnecessary services" rule?

The minimize the number of services rule. I was trying to think of an
exact problem (like an open proxy can be used as a ddos zombie box),
but since it only outputs into tor, tor itself is capable of doing
stuff like this on it's own.

The only thing you now have a problem with is a dos attack against
your own box: if someone floods your box with connections to the
proxy, it will chew cpu and memory like mad. (Im assuming a tor flood
wouldn't be as bad)

> --
> Eugen* Leitl <a href="http://leitl.org";>leitl</a>
> ______________________________________________________________
> ICBM: 48.07078, 11.61144            http://www.leitl.org
> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
> http://moleculardevices.org         http://nanomachines.net
> 
> 
> 


-- 
Patrick "Diablo-D3" McFarland || diablod3@gmail.com
"Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd 
all be running around in darkened rooms, munching magic pills and listening to
repetitive electronic music." -- Kristian Wilson, Nintendo, Inc, 1989