[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: BlockNumericIPRequests patch (fwd)


On Sun, 12 Mar 2006, Roger Dingledine wrote: 
First, we already have a TestSocks config option:

 TestSocks 0|1
     When this option is enabled, Tor will make  a notice-level  log
     entry  for  each connection to the Socks port indicating whether
     the request used a hostname (safe) or an  IP  address (unsafe).
     This helps to determine whether an application using Tor is pos-
     sibly leaking DNS requests.  (Default: 0)

This doesn't do quite what your patch does, of course. But is it
sufficient?

Actually, is it even necessary now that it always warns about IP-only connections?


Second, even with your patch, an application using the wrong socks
version will do the DNS resolve, and then fail to work. So in a sense
it is broken in *both* respects now. Is this better behavior than before?

I'd like to figure these out a bit more before we simply hand more
options to the users and hope it solves the problem. :)

Certainly, it's a tradeoff which must be evaluated. The fact that my option doesn't catch the problem until the DNS lookup has already happened is significant, and I've been thinking it should be documented. The option could also cause mysterious problems in applications that don't always do a DNS lookup (bittorrent, perhaps?). OTOH, in most cases, users would presumably not make their very first connection to a sensitive site after installing a new app or changing a configuration.

And, of course, it could be a significant advantage to have proactive rejection of potentially dangerous connections rather than leaving a log entry which may go unnoticed. Users are notoriously bad about auditing log entries.

							-J