Re: Firefox IPv6 Anonymity bypass

[Jacob Appelbaum <jacob@xxxxxxxxxxxxx>]

Arrakis wrote:
> Greetings and welcome to 2006!
> 
> <3,
> Steve
> 
> Excerpt from "How To Create Torpark"
> 
> Step 31. set as follows:
>     noscript.notify.hideDelay = 30	
>     noscript.statusIcon = false
>     network.dns.disableIPv6 = true ; ipv6 addresses fail through tor.
>     network.proxy.socks_remote_dns = true
>     browser.sessionstore.enabled = false
>     browser.sessionhistory.max_entries = 1
>     network.cookie.lifetime.days = 0
>     dom.storage.enabled = false
>     dom.max_script_run_time = 60 ;script running time
>     dom.max_chrome_script_run_time = 60;
>     network.proxy.failover_timeout = 0 ;always retry the proxy, never
> revert.
>     plugin.scan.plid.all = false ;Do not allow plugin scanning.
>     security.xpconnect.plugin.unrestricted = false; do not allow
> unlimited access to XPConnect
>     layout.css.report_errors = false ;get rid of java console errors
>     network.http.keep-alive.timeout:1000
>     network.http.max-persistent-connections-per-proxy:16
>     network.http.pipelining:true
>     network.http.pipelining.maxrequests:8
>     network.http.proxy.pipelining:true

I'm sure you've learned a great deal in the process of building Torpark.
 Have you ever documented why you've made these choices and explained
them to the or-talk lost or Tor Developers privately?

I think your contributions would be very valued if you only shared them
in a constructive manner. Your message comes across as smug and counter
productive. What are you trying to accomplish?

With that said, I think your setup is still vulnerable to ipv6 leaks. I
 think that an attacker would merely have to list an ipv6 address rather
than a name. Something along the lines of:

<img src="http://fe80::123:5667:fe6d:ab10/cookie.img";>

If you think this to be incorrect, perhaps you could share why? Does
Firefox properly proxy ipv6 requests through Tor? Have you tested this?
How did you test it?


-
Jaco