[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

azureus anonymity advisory



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi y'all,

I don't know if anyone is using Azureus to BT anonymously over TOR
still, but if you are, you should hold off for the time being as
there are bugs allowing trivial IP compromise.  Anonymous trackers
are not affected from what I can see.

The issue rests with the support for both anonymous and
non-anonymous activity at the same time - if you have one anonymous
client on a swarm and one non-anonymous one, when the anonymous one
gets the non-anonymous one's IP address, it will currently connect
to it directly.

I noticed this while hacking around with their new I2P plugin (which
uses the same socks handling) and have advised the I2P userbase to
hold off until the issue is resolved.  The Azureus developers are on
the case, and seem to think it'll be easy enough to fix, so keep an
ear out to the Azureus pages for updates.

=jr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB5wzPGnFL2th344YRAsFbAKCWDXj+bGZJJaDwdDAy4te1PP0qLACg0oQX
rH26S0EJm0fieM3AQpyV2DM=
=rLUO
-----END PGP SIGNATURE-----