Re: Yahoo Mail and Tor

[Jim McClanahan <jimmymac@xxxxxxxxxx>]

Andrew Lewman wrote:

> A) The Privoxies after 3.06 have a local "web control interface"
> which we believe is a security risk. We think that remote websites can
> probably reconfigure your privoxy via that interface, maybe even without
> your noticing.  If newer versions have the ability to disable this
> interface, we can consider testing and subsequently including those with
> our packages.

Can you provide a link to what you are talking about?  I just searched
on the terms/phrase "web control interface" with "privoxy" and only had
a few matches, none of which seemed relevant.  I also checked privoxy's
online manual
( http://www.privoxy.org/user-manual/index.html ,
v 1.60 2009/03/21 12:58:53) and I didn't see anything about changing
configuration that had substantively changed since I started using
privoxy 3+ years ago.  At *least* since that time there there has been
the ability to edit action files via browser (web interface) if allowed
in the configuration file.  The configuration file itself had to be
manually edited, and, at least in *nix, the config file could be owned
by root and set to be not writeable by privoxy (assuming privoxy was
running w/o privilege).  You could also toggle "enable/disable" through
privoxy's web interface if allowed in the config file. It should be
noted that "disabling" merely turns off the application of the rules --
it does *not* affect packet routing.  So if something was sent via Tor
with privoxy "enabled," it is still sent through Tor with privoxy
"disabled."  I have specifically verified that using
http://torcheck.xenobite.eu .

So could you point me to what has changed since 3.0.6 that causes
security concerns?  Thanks.

P.S.  Oops, I just noticed others have requested a link.  Did not mean
to repeat.  I believe the rest of what I said is relevant.