[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Confusion about Tor log messages showing relay addresses



On Sun, Nov 4, 2012 at 11:17 AM, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
 [...]

>
>>  Wow, absolutely no ideas about the cause, validity / non validity of
> these warning messages?




Grepping for the string "protocol that may leak information" in Vidalia, it
looks like you're *probably* seeing this one:

"One of your applications established a connection through Tor "
         "to \"%1\" using a protocol that may leak information about your "
         "destination. Please ensure you configure your applications to use
"
         "only SOCKS4a or SOCKS5 with remote hostname resolution"

That's the warning that you should I'd expect that your application is
connecting to Tor and giving it an IP address rather than a hostname, and
it's not an IP address that your application is getting from Tor.  So
here's what Tor thinks might be happening:

 1. Application does a direct DNS request for some-site.com.  Your local
DNS server learns that you want some-site.com, and tells the application
"the IP is 1.2.3.4".  That DNS request would be the information leak that
Vidalia is warning you about.
 2. Your application makes a request to Tor: "Connect to 1.2.3.4".
 3. Tor goes, "Hm. Okay... but hang on. I never told any application about
the IP 1.2.3.4! I bet they got it by a direct DNS request.  That would be
bad. I should warn them!"  Tor makes a connection to 1.2.3.4, and tells
Vidalia to warn you.
 4. Vidalia warns you.

So in this case, you wouldn't be seeing any connections to 1.2.3.4 on your
AV.  Instead, you'd see your application making DNS requests for some
hostname, and getting 1.2.3.4 as an answer.  It's external DNS requests
that you need to watch out for.

Tor is telling you "Please ensure that your configure your applications to
use only SOCKS4a or SOCKS5 with remote hostname resolution" since that's
what you usually have to do to an application to make it do the right thing
here.

This could give false positives for two reasons:

  A. Maybe the application is finding out about IP addresses through some
safe means other than DNS lookups and other than learning about them from
Tor.
  B. Maybe the application learned about an IP address a long time ago
through Tor, long enough ago that Tor forgot that it ever told that
application about that address.


Things to look at: Is there some application other than TorBrowser in use?
 Are all settings at their default values?

-- 
Nick
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk