[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] wget - secure?



> On 04/22/2012 01:25 AM, torsiris@xxxxxxxxxxx wrote:
>>
>> Hi,
>>
>> Is there anything to worry about if using curl with the below
>> configuration?
>> (I don't want to use a virtual machine)
>>
>> Only debian-tor can go online:
>> iptables -F OUTPUT
>> iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
>> iptables -A OUTPUT -j ACCEPT -o lo
>> iptables -A OUTPUT -j ACCEPT -p udp --dport 123
>> iptables -P OUTPUT DROP
>
> Just to make sure, add explicit blocking of DNS at the beginning (might
> add -m
> owner --uid-owner debian-tor if you want):
>
> iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -j REJECT
> iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -j REJECT

iptables -P OUTPUT DROP will drop anything not allowed in the above rules.
I don't see the need to add more rules for DNS. They get dropped anyway.

>
> REJECT is IMHO better than DROP for outgoing connections, since you won't
> have
> to wait for application to detect timeout.

That's a good point for outgoing traffic. :-)

>
>>
>> curl is used like this:
>>
>> curl --socks5-hostname 127.0.0.1:9050 -A "TBB's user agent" -C - -O
>> http://download.testfile
>
> Use --header to add any additional headers until your request has
> identical
> headers to TBB (adding headers is easy, removing might be harder).
>
>> I guess there is no way that curl can leak the real IP address. Any
>> objections?
>
> I can't say for sure, but it likely won't leak your IP for http/https
> protocols.
> Only way to make sure would be thoroughly reading the source.

I see no way how curl could get the public IP address without root
privileges.

Thank you Ondrej for your point of view.

>
> Ondrej
>
>>
>>
>>> Hm, you're right, wget 1.12 does not leak DNS if you use http protocol.
>>> I
>>> just
>>> realized I tested it also with https when the leak happened (wget
>>> requires
>>> explicit 'https_proxy' to use CONNECT for https even if you use the
>>> same
>>> http
>>> proxy).
>>>
>>> Ondrej
>>>
>>> On 04/19/2012 10:54 PM, torsiris@xxxxxxxxxxx wrote:
>>>> Hi,
>>>>
>>>> I cannot confirm that wget (v1.12) is sending any DNS resolve when
>>>> using
>>>> it this way:
>>>>
>>>> wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -c
>>>> http://download.test
>>>>
>>>> Wireshark does not show any UDP traffic.
>>>>
>>>> I will check out curl. I like the idea of not using a http proxy in
>>>> between.
>>>>
>>>> Thanks for the post. :-)
>>>>
>>>>> On 04/18/2012 11:40 PM, torsiris@xxxxxxxxxxx wrote:
>>>>>>> On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <mk@xxxxxx> wrote:
>>>>>>>> On Wed, Apr 18, 2012 at 11:37, Robert Ransom
>>>>>>>> <rransom.8774@xxxxxxxxx>
>>>>>>>> wrote:
>>>>>>>>> Which version of wget did you audit?  What information leaks did
>>>>>>>>> you
>>>>>>>>> check for during your audit?
>>>>>> Hi,
>>>>>>
>>>>>> How can I check what information wget is transmitting? I used
>>>>>> wireshark
>>>>>> and filtered to see only the traffic sent from wget to
>>>>>> localhost:8118
>>>>>> but
>>>>>> I'm not a network expert and I don't know how to interpret the data.
>>>>>>
>>>>>> Anybody has deeper network knowledge?
>>>>>
>>>>> I've just checked wget, it does leak DNS even with http_proxy
>>>>> environment
>>>>> variable set.
>>>>>
>>>>> How to check:
>>>>>
>>>>> 1. Run wireshark
>>>>> 2. Select "Pseudointerface (any)" unless you know which interface to
>>>>> look
>>>>> at
>>>>> 3. Put "dns" into the Filter field and click "Apply" button
>>>>>
>>>>> DNS is easy to spot since it's almost always going to UDP port 53
>>>>> (exceptions
>>>>> are really rare).
>>>>>
>>>>> Then you'll see what DNS queries your host did at the time (obviously
>>>>> it's
>>>>> best
>>>>> to turn off any other program that could interfere in the
>>>>> measurement).
>>>>>
>>>>> These things can change on version-to-version basis of the same
>>>>> software,
>>>>> so
>>>>> it's always best to check your actual version with wireshark.
>>>>>
>>>>> Though curl is much better than wget in all recent versions at least,
>>>>> this
>>>>> does
>>>>> not leak DNS (--socks5-hostname is the important part; Tor SOCKS5
>>>>> proxy
>>>>> is
>>>>> expected to run at port 9050):
>>>>>
>>>>> curl --socks5-hostname localhost:9050
>>>>> "http(s)://somesite.wherever/rest_of_url"
>>>>>
>>>>> Ondrej
>>>>> _______________________________________________
>>>>> tor-talk mailing list
>>>>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> tor-talk mailing list
>>>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>
>>>
>>> _______________________________________________
>>> tor-talk mailing list
>>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>
>>
>>
>> _______________________________________________
>> tor-talk mailing list
>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk