[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
From: unknown <unknown@xxxxxxxxx>
Date: Fri, 4 May 2012 18:50:30 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 04 May 2012 14:51:10 -0400
Gpg-key-fingerprint: EE1E 6772 92A7 F9F1 F1DE 326B 9153 691B 8058 5959
In-reply-to: <4FA368C7.5010306@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Organization: PGPru.com
References: <CABqy+soUVc5VLT-c+N8cNr0k+V4-XjgTVXruMLcLDtmA_ngT4A@xxxxxxxxxxxxxx> <20120503172739.0717623FC1@xxxxxxxxxxxxxxxxxxxxx> <4FA368C7.5010306@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: unknown

On Fri, 4 May 2012 07:27:35 +0200
"Fabio Pietrosanti (naif)" <lists@xxxxxxxxxxxxxxx> wrote:

> > Any potential DNS-leakage can be prevented with iptables (Debian GNU/Linux way):
> 
> Well, this can also be prevented if the "starter" of TBB would be a
> binary/executable rather than a shell script, and that binary executable
> would provide "LD_PRELOAD" tsocks like approach wrapping the connect().
> 
> That way the entire TBB will run over the TBB_STARTER that will provide
> an "application-level" firewall that would prevent any kind of socket
> API to get-out directly.
> 
> -naif
> _______________________________________________

An "application-level" firewall is an illusion of security. Procesess can be separated by owners
with users and groups but programs itself cannot be authenticated to iptables. 
That's a reason to exclude an "application-level" firewall options --owner --cmd-owner <program-name>
from the kernel iptables modules.

Stronger way to manage network connections associated to programs is SELinux security contexts or
similar security modules. Even a path based ACLs and MACs such as AppArmor can be avoided and failed 
and only strong security context isolation in SELinux is a right decision.

Or just simple use system groups with iptables: not so secure, not so strong.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
  - From: Robert Ransom
- Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
  - From: unknown
- Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
  - From: Fabio Pietrosanti (naif)

Prev by Author: Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
Next by Author: Re: [tor-talk] Blocked HTTPS
Previous by thread: Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
Next by thread: Re: [tor-talk] Firefox security bug (proxy-bypass) in current TBBs
Index(es):
- Author
- Thread