[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: is Java unsafe to use with Tor?



tor user wrote:
Greetings,
(I'm not sure if this is exactly the right place to
discuss this, but it pertains to using proxies in Java
in a possibly unsafe manner, and this sort of thing
seems to only matter to users of Tor)

If I hava a Java program, and I do something like the
following:
Properties systemSettings = System.getProperties();
systemSettings.put("http.proxyHost", "127.0.0.1");
systemSettings.put("http.proxyPort", "8118");
System.setProperties(systemSettings);

This has the effect that all HTTP connections
following will be proxied via port 8118 on localhost,
where an instance of Privoxy might be listening. A
problem soon arises however if for some reason,
Privoxy isn't currently listening (for example, it
crashes, or it is hosted on another system that has
gone down, or whatever). In the case that nothing is
listening on the intended port, Java will switch to
making connections directly instead. This could be, of
course, somewhat disasterous from a security POV.
Are there any Java folks who have any insight about
how the "feature" is disabled? The expected behavior
should be that if the configured proxy is down,
connections should fail (as they would in any other
system).
Or is Java just an unsafe system to try to be
anonymous in?

Java is not safe to use with Tor, or any other proxy-based anonymity system. It is possible for applets to override any proxy settings you might have set (i.e. an applet running in your browser can disregard your proxy settings and make a direct connection to the internet). For an example of this, you can have a look my paper "Internet Geolocation and Evasion".

I have heard that it is possible to run your browser and JavaVM (and Flash and JavaScript, if you want) inside a larger virtual machine. This is what JanusVM does. If you really want to use Java with Tor, then you could try that.

-James