[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TorButton and information disclosure on last OR



> Are you attempting to connect to your own server by IP? That's about
> the only way that I know of that your IP would end up in the Host
> header.

Yes, that's true that I misunderstood the meaning of Host header. It's
the name or destination server, but not source. Got it now.

There're 3 options in TorButton about headers:

Set user agent for Tor usage (crucial)
Spoof US English Browser
Don't send referer during Tor usage (may break some sites)

But I see the effect only from first one when my UserAgent header changes:
my real UserAgent:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.17)
Gecko/2010010604 Ubuntu/8.10 (intrepid) Firefox/3.0.17
changes to:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

> TorButton does several tasks that help to prevent the
> end server (and evesdropping last OR) from being able to build a
> pseudonym for you, including modifying your HTTP headers to reduce the
> chance of disclosure.

What exact tasks do you know?

Also, do I think right that it's quite useless to use Tor just as
proxy - it would work just as proxy. And it's much better to use
special plugins like TorButton to Firefox to set some extra settings
about hiding yourself. Am I right?

On Sun, Jan 31, 2010 at 7:18 PM, Marcus Griep <tormaster@xxxxxxx> wrote:
> I think that you misunderstand what the Host header is for. It is a
> required header for HTTP/1.1, and it gives a host *name* that the
> server can then use to differentiate which resource you wanted. For
> example, www.example.com and news.example.com could be run off the
> same server. In order for the server to determine which resource you
> want when you connect to it, it inspects the Host header.
>
> Regardless, unless you are using an encrypted end-to-end connection,
> you should always assume that the last OR has the ability to read what
> you are sending. TorButton does several tasks that help to prevent the
> end server (and evesdropping last OR) from being able to build a
> pseudonym for you, including modifying your HTTP headers to reduce the
> chance of disclosure.
>
> Are you attempting to connect to your own server by IP? That's about
> the only way that I know of that your IP would end up in the Host
> header.
>
> --
> Marcus Griep
> ââ
> ÎÎÎÎÎÎ ××.ÏÎÂ, 3Â
>
>
>
> On Sun, Jan 31, 2010 at 10:46 AM, Mansur Marvanov <nanorobocop@xxxxxxxxx> wrote:
>> Hello!
>>
>> I have a Client machine with TorButton (Tor client + Firefox + Privoxy
>> + TorButton) and a Server machine with Apache.
>> But when I'm trying to connect from Client to Server through TOR
>> network I see that there's my information on HTTP-headers on Server
>> side that last OR gives to my Apache.
>> So, AFAIU last OR has all information about me? Isn't it disclosure of
>> information?
>> I think that it would be better if TorButton changes or deletes
>> HTTP-headers that could disclose me.
>> For example, at least TorButton could hide my Host header, by it
>> doesn't.. Is it a bug or what?
>>
>> GET / HTTP/1.1
>> Host: ***MY***REAL***IP***
>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
>> rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
>> If-Modified-Since: Sat, 26 Sep 2009 15:50:51 GMT
>> If-None-Match: "883d5-2d-4747d076a8cc0"-gzip
>> Cache-Control: max-age=0
>> Connection: close
>>
>> HTTP/1.1 200 OK
>> Date: Sun, 31 Jan 2010 14:08:29 GMT
>> Server: Apache/2.2.9 (Ubuntu)
>> Last-Modified: Sat, 26 Sep 2009 15:50:51 GMT
>> ETag: "883d5-2d-4747d076a8cc0"-gzip
>> Accept-Ranges: bytes
>> Vary: Accept-Encoding
>> Content-Encoding: gzip
>> Content-Length: 56
>> Connection: close
>> Content-Type: text/html
>>
>> ............(....I.O....0..,Q(./..V....l.!..`U\.QU.f-...
>> ***********************************************************************
>> To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
>> unsubscribe or-talk  Âin the body. http://archives.seul.org/or/talk/
>>
>>
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
> unsubscribe or-talk  Âin the body. http://archives.seul.org/or/talk/
>
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/