[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] flash and tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] flash and tor
From: Andrew Lewman <andrew@xxxxxxxxxxxxx>
Date: Fri, 28 Sep 2012 08:24:54 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 28 Sep 2012 08:25:10 -0400
In-reply-to: <CAEYCsr78EYofZMeWzrEru0M_JZDenPDsjffk3yaV19OjN5J8Vw@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Organization: The Tor Project, Inc.
References: <CAEYCsr7L1T3y5ppiNDnhpP_-0QLZiEZAE7shP5Ry=zz1nywsWw@xxxxxxxxxxxxxx> <5064F40C.7020107@xxxxxxxxxx> <CAEYCsr78EYofZMeWzrEru0M_JZDenPDsjffk3yaV19OjN5J8Vw@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On Fri, 28 Sep 2012 13:51:26 +0200
esolve esolve <esolvepolito@xxxxxxxxx> wrote:

> but I used tcpdump to capture packets and noticed that the video
> packets are sent through tor nodes, not directly to the web site
> so for the website, it should regard the connection is from an IP of
> exit node.
> what you meant is the adobe flash will also use the real IP to
> connect to that website by bypassing tor?

Adobe Flash apps can be written to ignore proxy settings of the
operating system and applications and stream data back to anywhere.
They have access to your hard drive, so they can read data from
anywhere on your system.

The keyword here is "can". Most flash apps work as expected and honor
proxy settings and will dutifully stream/work over Tor. 

The user has no easy way of knowing if the app is recording their IP
address locally or from their ISP and sending it back to some site, or
just connecting back to a site without using the proxy. 

For the majority of people, flash is a black box doing unknown things.
This isn't even addressing the exploits and vulnerabilities in the
flash vm (called a player). It may be playing funny dog videos for you
while it is ex-filtrating sensitive data.

Because of these reasons, we determined flash is too risky to allow by
default in tor browser. See #1 in
https://www.torproject.org/projects/torbrowser/design/#adversary

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] flash and tor
  - From: esolve esolve
- Re: [tor-talk] flash and tor
  - From: adrelanos
- Re: [tor-talk] flash and tor
  - From: esolve esolve

Prev by Author: Re: [tor-talk] Does tor browser bundle can goes on Mac App Store?
Next by Author: Re: [tor-talk] Tor advice?
Previous by thread: Re: [tor-talk] flash and tor
Next by thread: [tor-talk] TBB advantages in VM
Index(es):
- Author
- Thread