[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: privoxy/firefox

To: or-talk@xxxxxxxxxxxxx
Subject: Re: privoxy/firefox
From: ADB <firefox-gen@xxxxxxxxxx>
Date: Tue, 30 Aug 2005 10:56:31 -0700
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Tue, 30 Aug 2005 13:57:29 -0400
In-reply-to: <7d9163f3050830081238490c1b@mail.gmail.com>
References: <7d9163f3050828194670d531e4@mail.gmail.com> <43129FE5.4080608@walala.org> <20050829060409.GK4630@localhost.localdomain> <4312A7FC.5070501@walala.org> <7d9163f305082823367ccc01fe@mail.gmail.com> <43140517.6010909@walala.org> <7d9163f3050830081238490c1b@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent:

Arrakis, what is the about:config entry's name and value? I can try adding it to my 1.0.x config and see if it does anything. BTW, further testing yesterday has shown that 1.0.x in fact does do SOCKS4/5 correctly, as long as you have the 'enable proxy for all protocols' or whatever box checked. HOWEVER, we have discovered that Squid insists on doing its own DNS lookups, and there doesn't seem to be a way to change this behavior. Thus, I am going to append a warning/notice of depreciation on all related pages on the Wiki (there's only one or two of them). Although Squid can filter out those evil headers (which I really like), the fact that it DNS leaks cancels out any of these positive effects.

~Andrew

Arrakis Tor wrote:

Download Dear Park Alpha 2 and run the about:config to force the DNS
queries to be done remotely, and then we will have something more to
talk about. This seems to be the issue, as 1.06 etc, do not have to
option for decentralized dns query, where the experimental versions
do. But for the later versions you must enable it.

On 8/30/05, ADB <firefox-gen@xxxxxxxxxx> wrote:

 Damnit! Aparently Dingledine was right. Etherial picked up the DNS queries.
It seems that just because Tor doesn't say that there's a problem, it
doesn't mean that there isn't a DNS leak going on. Could this behavior (or
lack thereof) be considered a bug?
 
 ~Andrew

 
 Arrakis Tor wrote: 
 I would very much appreciate an investigation into it. 

On 8/29/05, ADB <firefox-gen@xxxxxxxxxx> wrote:
 
 
 The latest stable (1.0.6) operates without causing any screen messages
when tor is set to 'notice' loglevel. Programs known not to do DNS in a safe
manner do result in such notifications. When did you last review the source?
I'll do a local ethernet sniff w/ Etherial if you would like further
verification (it's late right now otherwise I would just do it immediately).
 
 Roger Dingledine wrote: 
 On Sun, Aug 28, 2005 at 10:40:53PM -0700, ADB wrote:
 
 
 FF does SOCKS 5 securely, so I don't see why you couldn't. The only 

 
 
 Other than not having cookies blocked, Is there anything to lose by
not having privoxy installed, and using firefox as its own sock5
proxy? Does this compromise security by dns headers?
 
 

Last I read the code, the way Firefox does socks5 is *not* secure from
Tor's perspective. It does the DNS resolve itself, then passes the IP
address to Tor via socks5.

Firefox 1.1 (not yet released, as far as I know) has an option to "do
dns remotely", which makes it safe. Adam Langley has a howto on this:
http://www.imperialviolet.org/deerpark.html

--Roger



.

Follow-Ups:
- Re: privoxy/firefox
  - From: Adam Langley

References:
- privoxy/firefox
  - From: Arrakis Tor
- Re: privoxy/firefox
  - From: ADB
- Re: privoxy/firefox
  - From: Roger Dingledine
- Re: privoxy/firefox
  - From: ADB
- Re: privoxy/firefox
  - From: Arrakis Tor
- Re: privoxy/firefox
  - From: ADB
- Re: privoxy/firefox
  - From: Arrakis Tor

Prev by Author: Re: privoxy/firefox
Next by Author: Re: privoxy/firefox
Previous by thread: Re: privoxy/firefox
Next by thread: Re: privoxy/firefox
Index(es):
- Author
- Thread