[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Set up a webproxy to TOR - tor-proxy.net



Neat site.

Not to rain on the parade, but I'm concerned about side-channel attacks with this site.
Let me clarify a bit.

It's nice knowing that this site is using HTTPS.  Good.
But when a URL is visited that requires a third party application to watch it (specifically multimedia content) such as Windows Media or Real Player, then the users anonymity could be compromised.

I entered the following URL as an example:
http://ra.yle.fi/ramgen/aktualiteter/spotlight/spotlightdebatt_2005_06_07.rm?rpurl=http://www.ipnow.org/images/iprand.jpg&start=00:00:00&end=00:00:01

(The result in this example shows your true IP address in RealPlayer. I have no idea what this video is about, I just used google to find one for this example.)
This uses the web browser in RealPlayer (which is just IE hooked in with a skin around it) and doesn't use the proxy settings from Firefox.
There are a few different applications which make their own connection to the Internet without using a proxy.

So my question is, could you give users the option to only visit safe content (.html .htm .jpg .gif .css)?
Could you put up a warning page when they do visit link to a non-html related page to inform the user that this *might* be dangerous to their anonymity?

I think this would be a step in the right direction in terms of security of the users anonymity.  Lots of users who want anonymity do not fully understand how all the applications on their system work, which could result in a user following a link to a bad file that could compromise their real IP address through an application that isn't there browser.

Don't forget about evil Tor exits too, someone could inject traffic into what would normally be a safe page. ;)

best regards.