[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] wget - secure?

On 2012-04-18, Joseph Lorenzo Hall <joehall@xxxxxxxxx> wrote:

> The underlying point is that it would be neat if
> you've done a comprehensive analysis of a specific version of Tor,
> etc., etc.

No, the underlying point is that I have personally seen wget send my
computer's IP address over Tor in an FTP PORT command.  wget is not
â100% safeâ.

The code to send a PORT command is still present in wget 1.13.4.  wget
1.13.4 is not â100% safeâ; anyone who wants to recommend it needs to
specify a particular configuration of wget which is safe.  (Don't
count on a âdefault configurationâ; Linux distributors might have
messed with it, or failed to update it to the version shipped in
recent wget source distributions.)

And that's not even the potential information leak that folks who are
familiar with âanonymous FTPâ would check for first.

Robert Ransom
tor-talk mailing list