[Message reformatted; top-posting hurts my brain]
On Mon, Aug 09, 2004 at 08:22:12AM -0400, Patrick McFarland wrote:
> On Mon, 9 Aug 2004 04:34:27 -0400, Nick Mathewson <nickm@freehaven.net> wrote:
[...]
> > I believe that this only happens when you are using Tor as a socks
> > proxy from Mozilla directly. But you shouldn't do that; you lose
> > anonymity when your own host connects to the DNS server! You should
> > use privoxy as a HTTP proxy instead; see doc/CLIENTS in the Tor
> > distribution for more information about why and how.
>
> Privoxy doesn't support ipv6, however.
For the use case we're talking about, privoxy doesn't *need* IPv6.
Here's what's going on. (At least, here's what I *think* is going on;
I don't have a copy of Opera to test against.)
The original poster is (it seems) using Tor as a SOCKS 5 proxy from
his browser. When he goes to a dual IPv4/v6 site, these steps occur:
1. The web browser does a DNS lookup for the site's hostname.
(As soon as this happens, the user's anonymity is lost: the DNS
request has gone over the network in the clear, and any
eavesdropper can tell that the user is interested in connecting
to the target host.)
2. The web browser gets some A records (IPv4) and some AAAA
records (IPv6) back.
3. The web browser decides that it likes v6 better than v4, and
tells Tor, via SOCKS, "please connect to this IPv6 address."
Tor doesn't do IPv6, and gives up.
Even though privoxy doesn't support IPv6, it will still work fine in
this case. When Privoxy is set up as your HTTP proxy, and is set to
forward request to Tor via socks4a, here's what happens:
1. The web browser sends an HTTP request to privoxy. This request
includes the hostname of the target webserver, so no DNS
resolution has taken place.
2. Privoxy sends a SOCKS 4A request to Tor. Again, this request
includes the hostname of the target websserver, so no DNS
resolution has taken place.
3. Your local Tor process transmits the request, along an
encrypted multi-server circuit, to a different Tor server,
which resolves the hostname for you, and connects to any IPv4
address it finds (since Tor doesn't support IPv6 now).
So in this case, you get two good things and a workaround:
Good thing 1: You aren't blowing your anonymity by doing the DNS
resolve yourself.
Good thing 2: Privoxy cleans identifying information from your HTTP
request, which Tor does not do itself.
Workaround: Because the DNS resolve is happening from within a
remote Tor process that ignores IPv6 addresses, it won't get
confused by having both AAAA records and A records for a single
server.
I hope this explained why using an HTTP proxy is important
_independently_ from IPv6/v4 issues; and why it is a good workaround
for those too.
yrs,
--
Nick Mathewson
(PGP key will change on 15Aug2004; see http://wangafu.net/key.txt)
Attachment:
pgp00015.pgp
Description: PGP signature