[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
From: Max Jakob Maass <max@xxxxxxxxxxxxx>
Date: Tue, 21 Jan 2014 13:18:21 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Jan 2014 07:27:45 -0500
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1390306706; l=2281; s=domk; d=velcommuta.de; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: Subject:To:MIME-Version:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH; bh=d2U+LJrSdBF/HsM7MWD56v8pZlY=; b=QiSclvMoW1OosO+91A7MTQvuxu2l9UDkuxOAOm6h1Nr56X963c6/4H2MflAyXn6zXS4 vqZiJhYu5Y+uzx3KG4+W51KWyEkKikitCYK5t/nBXNFeAKW4ihVkJ+9nktu5kZ+5jdtnH O9cUax9xguGN/nWkb6oFvCmp15eLNPdvqEg=
In-reply-to: <52DE5C45.3030107@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: url=http://verify.velcommuta.de/gpg/3408825E.asc
References: <1390277171.428385.27196.8353@xxxxxxxxxxxxxxx> <52DE4C43.1060109@xxxxxxxxx> <52DE5C45.3030107@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 21.01.2014 12:38, Olivier Cornu wrote:
> Le 21/01/2014 11:30, Yuri a écrit :
>> 
>> I just tried stock Firefox 26.0 version, and it doesn't allow
>> loopback access (FreeBSD version). I don't have firewall. So it
>> must be an issue with the earlier FF, or maybe with TBB
>> modifications to it. Chrome-31 is also free of this problem.
> 
> Loopback (and LAN I bet) is accessible with TBB, FF and Chromium
> on Linux (Ubuntu). Platform specific behaviors?
> 
> Anyway, the more I think about it, the more I see this as a TBB
> bug: TBB is leaking non-Tor connections on client LAN. As I
> understand it, current behavior is too clever and too liberal: 
> instead of allowing non-Tor connections to LAN hosts, supposedly
> because they are safe, it should block them as a default.
Tor actually rejected my attempted XMLHttpRequest to a non-loopback
address (Log-Message stating that the SocksProxy did not allow local
connections). But then again, it also did not successfully receive
data from localhost:80 (nc showed something, but the testing site gave
an error message when trying to connect to my apache2 on port 80). Did
it behave differently for you?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJS3mWNXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJe+tEP/2mkp53yndSrT0LLCsznYNU6
bfwopHSSTiDD3iqr6fzzGIjP7IfnaBdUlnoY+2PHq4lSPygF7sGbn7wd47RxnLFA
8DmJG8rsYfMqOA0FfZ4GrDdwyZvlVjhtmfe8wY5Tdf85xauc+8DbHS0nrcvlHPIv
r6fPjLsIIjTT18N4YMK7bKMPkmzOzf3hymwLf+sjQuO3NjnBpkiO/C4W6M2iptFX
rLGjbycANetPkPTqjanhDpSEwOc83SsyfW+jjOFbTY7u4m7RbF2Hr67eMStzQZ+p
iuhVkh60oualFIgUGQ+gPkI1uVPfuHeu1LeRykvfptw5I2jEoFfIB+gpQI+Xsh5U
iCLAbP2J1cr4FYHCFL4WKdcYSM4oN/olyeyiEt33DkR4Eu4K1vbGtG8uzJyLfXqW
U3KHw/Kqz3zIFryD+C1JpuZqDocR4vGiQH94EFY69nkOnUyfa7iW5iJK0TMK6ZoN
VU2Xse2EOzll8ZBCWRB/AeWn6DJO4IvVrJHGHf9VRlv3hbIKYX0So9NxjlfBW231
ZcdE1akLOi+1Pf/12riM0RjAVJkjUtbA6UQ9HOvcw4ZFEigfG6g4oUHWuM4A4JjW
eldopfhvdQQ7l8kFjtYyLz8qJwB/VZht3vuMeh8PCydsimxO911VEbXUsPYC3w1P
fpVPIHb4wCCqCg279xBz
=EuWN
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
  - From: Olivier Cornu

References:

Prev by Author: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Next by Author: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Previous by thread: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Next by thread: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Index(es):
- Author
- Thread