[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Thu, 03 May 2012 17:15:44 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 03 May 2012 13:15:56 -0400
In-reply-to: <051.8cc22401d53275bf94eb54de0cc980af@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.8cc22401d53275bf94eb54de0cc980af@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#5741: TBB proxy bypass: Some DNS requests not going through Tor
-----------------------------------------+----------------------------------
    Reporter:  cypherpunks               |       Owner:  erinn          
        Type:  defect                    |      Status:  closed         
    Priority:  blocker                   |   Milestone:                 
   Component:  Tor bundles/installation  |     Version:                 
  Resolution:  fixed                     |    Keywords:  MikePerry201205
      Parent:                            |      Points:  3              
Actualpoints:  3                         |  
-----------------------------------------+----------------------------------

Comment(by unknown):

 This is not the first time some rarely triggered bug in Firefox causes Tor
 to be bypassed, and certainly will not be the last one. Since these bugs
 have a very high security impact I propose they are guarded against. How
 about running Firefox inside some kind of firewall that drops all network
 packets not going to Tor?

 You can prevent any potential DNS-leakage with iptables (Debian GNU/Linux
 way):

 Edit /etc/login.defs, Replace "ENCRYPT_METHOD DES" to "ENCRYPT_METHOD
 SHA-512"

 Run command for create tbb-group with password:

 {{{addgroup --system tbb-tor}}}

 Add this rules to your firewall:

 {{{
 #tor anonymous users;

 DIRECT_OUT_GID="tbb-tor" #group id for TBB

 TOR_UID="debian-tor" #system tor (if you use it)

 #anonymous user runs programs with transparent torification to system tor
 #(if you use it):

 $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymoususer !
 --gid-owner $DIRECT_OUT_GID -m tcp --syn  -j REDIRECT --to-ports 9040
 $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner anonymoususer !
 --gid-owner $DIRECT_OUT_GID -m udp --dport 53 -j REDIRECT --to-ports 53
 $IPTABLES -t nat -A OUTPUT -m owner --uid-owner anonymoususer ! --gid-
 owner $DIRECT_OUT_GID  -j DNAT --to-destination 127.0.0.1

 #Accept output for system-tor itself (if you use it)
 $IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

 #Direct output for TBB without udp and tcp 53 port
 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID ! -p tcp -j
 REJECT
 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID -p tcp --dport
 53 -j
 REJECT
 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID -j ACCEPT
 }}}

 Run your tor-browser with sg from x-terminal emulator:

 {{{sg tbb-tor -c start-tor-browser.sh}}}

 Unfortunately, this is not an ideal solution for transparent torification
 TBB. All (but udp and dns-tcp) tcp trafic goes away. Using unix groups is
 not a way to separate start-script, vidalia, browser and TBB-tor itself. A
 ticket with more fine-tuned firewall solution is still desirable

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5741#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #5716 [EFF-HTTPS Everywhere]: httpseverywhere breaks sourceforge downloads
Next by Author: Re: [tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor
Previous by thread: Re: [tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor
Next by thread: Re: [tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor
Index(es):
- Author
- Thread