On 9/24/2011 4:16 AM, Fabian Keil wrote:
Thanks for detailed reply. It answered some questions, but I think for most users (perhaps technical, but not *extremely* advanced), it raises just as many more. I'm glad I don't live in Pakistan. 1) Most apps I've looked at w/ ability to select connection mode don't specify SOCKS 4 / 4a, or 5 / "5 w/ hostnames." MAYBE info could be found from developer or forums. Like you said,Joe Btfsplk<joebtfsplk@xxxxxxx> wrote:was playing w/ latest TBB& seeing how other apps (like email - Tbird, or other apps) behaved, just to experiment. 1) Question about changes in proxy settings of late(er) TBB (Aurora - FF 6) use. Notice that ONLY things filled in on network> settings page is: - Manual Proxy Config is checked, - under SOCKS host, 127.0.0.1 is used, and PORT 9050 used. - SOCKS 5 is checked. Obviously, changes from past Tor. I saw msgs in TBB / Vidalia log (which unfortunately, I didn't figure out how to save - it's gone onceI never used TBB, but the "Vidalia log" in vanilla Vidalia is basically a Tor log, so if you configure Tor to additionally log to a file, the log messages should survive the Vidalia shutdown.TBB shuts down), to effect of (pardon my poor memory): "An (or some) applic. is trying to do.... on SOCKS 5... which ~ may compromise anonymity... "Consider using SOCKS 4 instead, ... or use Polipo (Privoxy?)"You are probably referring to: Sep 21 22:43:31.377 [warn] {APP} Your application (using socks5 to port 80) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS. The important part is "giving Tor only an IP address", you can get the same message for SOCKS4. The URL should probably be fixed, but I'm not sure if the original content still exists somewhere.Question isn't about ONE app, but in general. If trying to torrify other apps, how do you know (now) WHICH settings to use in connection settings for that app(s)? HTTP, SSL, SOCKS 4 / 5? Or some combo of one or more of these settings & which Proxy or Port for each?Simplifying things a bit, SOCKS 4 and 5 both have two "flavours", one where the client itself resolves the addresses (potentially "leaking" DNS requests) and one where it doesn't have to (but still could). Tor users usually want to use the ones where the client doesn't have to resolve addresses and naturally they want to use clients that don't resolve anything anyway. In case of SOCKS4 that flavour is called SOCKS4A, in case of SOCKS5 it's often called "SOCKS5 with hostnames", but many applications only support one SOCKS5 flavour and you may have to check the documentation to figure out which one it is. For example Privoxy only supports the "SOCKS5 with hostnames" flavour but simply refers to it as SOCKS5 in the configuration files. The documentation should make it clear, though: http://www.privoxy.org/user-manual/config.html#SOCKS The same is true for Polipo: http://www.pps.jussieu.fr/~jch/software/polipo/polipo.html#SOCKS-parent-proxies curl supports both, and the switches are --socks5 and --socks5-hostname, so in this case most Tor users would want the latter. If an application has properly working SOCKS support there usually isn't any need to additionally configure a HTTP proxy unless the proxy itself does something you consider useful. If a client supports both SOCKS4A and "SOCK5 with hostnames" it's usually preferable to use the latter as it supports more detailed error codes. It's up to the client to do something useful with them, though.By that, mean by CURRENT ways that Tor / TBB work, not outdated help / FAQ articles (sorry). Some help files& articles are out of date& no longer apply for some settings. Could be wrong, but don't think instructions on https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail have changed in * long * time.There seems to be some history available: https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail?action=historyHave to say, Tbird instructions on above link could be a * LOT * clearer. I'm a technical person (not a coder)& have a hard time following it all. Definitely not written for avg users:I agree. It's also not clear if they are sufficient. It's my impression that they may not cover everything, but as I don't use Thunderbird I could be wrong.
"For example Privoxy only supports the "SOCKS5 with hostnames" flavour but simply refers to it as SOCKS5" Even Tbird 6 doesn't specify anything except simply SOCKS 4 / 5.2) If using Tor / Vidalia / Polipo bundle, & it's enabled, AND applications are config'd to use the port that Polipo uses, aren't the applications using the correct SOCKS type & port #, to prevent DNS leaks, or do many apps just ignore the Polipo settings?
I suppose ? if apps don't support SOCKS 4a / 5 w/ hostnames, they'll just do what ever they're able & doesn't really matter if using Polipo & app is config'd to use same proxy / port?
Info on this general issue is scattered out like debris field of a crashing space shuttle. It appears that "torrifying non browser apps" isn't a big concern for Tor developers, because instructions to do so & how (or even if) can be verified are far beyond avg users' ability. Not a criticism - just observation. The FAQ quoted below illustrates the point - not enough details for most users & incomplete. * Most Tor users are probably somewhat above avg, anyway, but do we really think the instructions below are sufficient for avg Tor users? *
From the FAQ: "I keep seeing these warnings about SOCKS and DNS and information leaks. Should I worry?"* [IMHO, these instructions fall into the category, "A little knowledge is a dangerous thing." Besides, no where near complete enough for avg - sl. above avg users to torrify apps safely]
"Where SOCKS comes in.* Your application uses the SOCKS protocol to connect to your local Tor client. There are 3 versions of SOCKS you are likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5 (which usually uses IP addresses in practice), and SOCKS 4a (which uses hostnames).
When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP address, Tor guesses that it 'probably' got the IP address non-anonymously from a DNS server. That's why it gives you a warning message: you probably aren't as anonymous as you think.
*So what can I do?* We describe a few solutions below. * If your application speaks SOCKS 4a, use it. [caveat: most apps don't say 4 / 4a, etc.] * For HTTP (web browsing), either configure your browser to perform remote DNS lookups (see the Torify HOWTO <https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> how to do this for some versions of Firefox) ** or use a socks4a-capable HTTP proxy, such as Polipo.** [again, from your comment & what I gather, using this may mean nothing] See the Tor documentation for more information. For instant messaging or IRC, use Gaim or XChat. For other programs, consider using freecap (on Win32) or dsocks (on BSD). * If you only need one or two hosts, or you are good at programming, you may be able to get a socks-based port-forwarder like socatg to work for you; see the Torify HOWTO <https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> for examples. * Tor ships with a program called tor-resolveg that can use the Tor network to look up hostnames remotely; if you resolve hostnames to IPs with tor-resolve, then pass the IPs to your applications, you'll be fine. (Tor will still give the warning, but now you know what it means.) [and instructions for config'g apps to use tor-resolve are where?] * You can use TorDNS as a local DNS server to rectify the DNS leakage. See the Torify HOWTO <https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> for info on how to run particular applications anonymously.If you think that you applied one of the solutions properly but still experience DNS leaks please verify there is no third-party application using DNS independently of Tor. Please see the FAQ entry on whether you're really absolutely anonymous using Tor <https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#SoImtotallyanonymousifIuseTor> for some examples.
How do I check if my application
<https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#SocksandDNS>
that uses SOCKS is leaking DNS requests?
These are two steps you need to take here. The first is to make sure
that it's using the correct variant of the SOCKS protocol, and the
second is to make sure that there aren't other leaks.
Step one: add "TestgSocks 1" to your torrc <https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#torrc> file, and then watch your logs as you use your application. Tor will then log, for each SOCKS connection, whether it was using a 'good' variant or a 'bad' one. (If you want to automatically disable all 'bad' variants, set "SafeSocks 1" in your torrc file.)
Step two: even if your application is using the correct variant of the SOCKS protocol, there is still a risk that it could be leaking DNS queries. This problem happens most commonly in Firefox extensions that resolve the destination hostname themselves?, for example to show you its IP address, what country it's in, etc. These applications may use a safe SOCKS variant when actually making connections, but they still do DNS resolves locally. If you suspect your application might behave like this, you should use a network sniffer like Wireshark and look for suspicious outbound DNS requests. I'm afraid the details of how to look for these problems are beyond the scope of a FAQ entry though * [& those details are where?] * -- * find a friend to help * if you have problems [LOL]."
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk