[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] question about socks 4, 5

On 9/24/2011 4:16 AM, Fabian Keil wrote:
Joe Btfsplk<joebtfsplk@xxxxxxx>  wrote:

was playing w/ latest TBB&  seeing how other apps (like email - Tbird,
or other apps) behaved, just to experiment.

1) Question about changes in proxy settings of late(er) TBB (Aurora - FF
6) use.  Notice that ONLY things filled in on network>  settings page is:
- Manual Proxy Config is checked,

- under SOCKS host, is used, and PORT 9050 used.
- SOCKS 5 is checked.

Obviously, changes from past Tor.  I saw msgs in TBB / Vidalia log
(which unfortunately, I didn't figure out how to save - it's gone once
I never used TBB, but the "Vidalia log" in vanilla Vidalia is basically
a Tor log, so if you configure Tor to additionally log to a file, the log
messages should survive the Vidalia shutdown.

TBB shuts down), to effect of (pardon my poor memory): "An (or some)
applic. is trying to do.... on SOCKS 5... which ~ may compromise
anonymity... "Consider using SOCKS 4 instead, ... or use Polipo
You are probably referring to:
Sep 21 22:43:31.377 [warn] {APP} Your application (using socks5 to port 80) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.

The important part is "giving Tor only an IP address",
you can get the same message for SOCKS4.

The URL should probably be fixed, but I'm not sure if the
original content still exists somewhere.

Question isn't about ONE app, but in general.  If trying to torrify
other apps, how do you know (now) WHICH settings to use in connection
settings for that app(s)?
HTTP, SSL, SOCKS 4 / 5?  Or some combo of one or more of these settings
&  which Proxy or Port for each?
Simplifying things a bit, SOCKS 4 and 5 both have two "flavours",
one where the client itself resolves the addresses (potentially
"leaking" DNS requests) and one where it doesn't have to (but still

Tor users usually want to use the ones where the client doesn't have
to resolve addresses and naturally they want to use clients that don't
resolve anything anyway.

In case of SOCKS4 that flavour is called SOCKS4A, in case of SOCKS5
it's often called "SOCKS5 with hostnames", but many applications only
support one SOCKS5 flavour and you may have to check the documentation
to figure out which one it is.

For example Privoxy only supports the "SOCKS5 with hostnames"
flavour but simply refers to it as SOCKS5 in the configuration
files. The documentation should make it clear, though:

The same is true for Polipo:

curl supports both, and the switches are --socks5
and --socks5-hostname, so in this case most Tor users
would want the latter.

If an application has properly working SOCKS support
there usually isn't any need to additionally configure
a HTTP proxy unless the proxy itself does something
you consider useful.

If a client supports both SOCKS4A and "SOCK5 with hostnames"
it's usually preferable to use the latter as it supports more
detailed error codes. It's up to the client to do something
useful with them, though.

By that, mean by CURRENT ways that Tor / TBB work, not outdated help /
FAQ articles (sorry).  Some help files&  articles are out of date&  no
longer apply for some settings.
Could be wrong, but don't think instructions on
have changed in * long * time.
There seems to be some history available:

Have to say, Tbird instructions on above link could be a * LOT *
clearer.  I'm a technical person (not a coder)&  have a hard  time
following it all.  Definitely  not written for avg users:
I agree. It's also not clear if they are sufficient.
It's my impression that they may not cover everything,
but as I don't use Thunderbird I could be wrong.

Thanks for detailed reply. It answered some questions, but I think for most users (perhaps technical, but not *extremely* advanced), it raises just as many more. I'm glad I don't live in Pakistan. 1) Most apps I've looked at w/ ability to select connection mode don't specify SOCKS 4 / 4a, or 5 / "5 w/ hostnames." MAYBE info could be found from developer or forums. Like you said,

"For example Privoxy only supports the "SOCKS5 with hostnames" flavour but simply refers to it as SOCKS5"

Even Tbird 6 doesn't specify anything except simply SOCKS 4 / 5.

2) If using Tor / Vidalia / Polipo bundle, & it's enabled, AND applications are config'd to use the port that Polipo uses, aren't the applications using the correct SOCKS type & port #, to prevent DNS leaks, or do many apps just ignore the Polipo settings?

I suppose ? if apps don't support SOCKS 4a / 5 w/ hostnames, they'll just do what ever they're able & doesn't really matter if using Polipo & app is config'd to use same proxy / port?

Info on this general issue is scattered out like debris field of a crashing space shuttle. It appears that "torrifying non browser apps" isn't a big concern for Tor developers, because instructions to do so & how (or even if) can be verified are far beyond avg users' ability. Not a criticism - just observation. The FAQ quoted below illustrates the point - not enough details for most users & incomplete. * Most Tor users are probably somewhat above avg, anyway, but do we really think the instructions below are sufficient for avg Tor users? *

From the FAQ: "I keep seeing these warnings about SOCKS and DNS and information leaks. Should I worry?"* [IMHO, these instructions fall into the category, "A little knowledge is a dangerous thing." Besides, no where near complete enough for avg - sl. above avg users to torrify apps safely]

"Where SOCKS comes in.* Your application uses the SOCKS protocol to connect to your local Tor client. There are 3 versions of SOCKS you are likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5 (which usually uses IP addresses in practice), and SOCKS 4a (which uses hostnames).

When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP address, Tor guesses that it 'probably' got the IP address non-anonymously from a DNS server. That's why it gives you a warning message: you probably aren't as anonymous as you think.

*So what can I do?* We describe a few solutions below.

 * If your application speaks SOCKS 4a, use it. [caveat:  most apps
   don't say 4 / 4a, etc.]
 * For HTTP (web browsing), either configure your browser to perform
   remote DNS lookups (see the Torify HOWTO
   <https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> how
   to do this for some versions of Firefox) ** or use a socks4a-capable
   HTTP proxy, such as Polipo.** [again, from your comment & what I
   gather, using this may mean nothing] See the Tor documentation for
   more information. For instant messaging or IRC, use Gaim or XChat.
   For other programs, consider using freecap (on Win32) or dsocks (on
 * If you only need one or two hosts, or you are good at programming,
   you may be able to get a socks-based port-forwarder like socatg to
   work for you; see the Torify HOWTO
   <https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> for
 * Tor ships with a program called tor-resolveg that can use the Tor
   network to look up hostnames remotely; if you resolve hostnames to
   IPs with tor-resolve, then pass the IPs to your applications, you'll
   be fine. (Tor will still give the warning, but now you know what it
   means.) [and instructions for config'g apps to use tor-resolve are
 * You can use TorDNS as a local DNS server to rectify the DNS leakage.
   See the Torify HOWTO
   <https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO> for
   info on how to run particular applications anonymously.

If you think that you applied one of the solutions properly but still experience DNS leaks please verify there is no third-party application using DNS independently of Tor. Please see the FAQ entry on whether you're really absolutely anonymous using Tor <https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#SoImtotallyanonymousifIuseTor> for some examples.

     How do I check if my application
     that uses SOCKS is leaking DNS requests?

These are two steps you need to take here. The first is to make sure that it's using the correct variant of the SOCKS protocol, and the second is to make sure that there aren't other leaks.

Step one: add "TestgSocks 1" to your torrc <https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#torrc> file, and then watch your logs as you use your application. Tor will then log, for each SOCKS connection, whether it was using a 'good' variant or a 'bad' one. (If you want to automatically disable all 'bad' variants, set "SafeSocks 1" in your torrc file.)

Step two: even if your application is using the correct variant of the SOCKS protocol, there is still a risk that it could be leaking DNS queries. This problem happens most commonly in Firefox extensions that resolve the destination hostname themselves?, for example to show you its IP address, what country it's in, etc. These applications may use a safe SOCKS variant when actually making connections, but they still do DNS resolves locally. If you suspect your application might behave like this, you should use a network sniffer like Wireshark and look for suspicious outbound DNS requests. I'm afraid the details of how to look for these problems are beyond the scope of a FAQ entry though * [& those details are where?] * -- * find a friend to help * if you have problems [LOL]."

tor-talk mailing list