[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: BlockNumericIPRequests patch (fwd)



On Sun, Mar 12, 2006 at 10:16:41PM +0000, Jason Holt wrote:
> >First, we already have a TestSocks config option:
>
> Actually, is it even necessary now that it always warns about IP-only 
> connections?

TestSocks does something more than that -- it gives you a log message
when you are using a safe socks variant also. This is important because
of the third case -- you think you're using Tor safely but you're not
using Tor at all.

> >Second, even with your patch, an application using the wrong socks
> >version will do the DNS resolve, and then fail to work. So in a sense
> >it is broken in *both* respects now. Is this better behavior than before?
> 
> Certainly, it's a tradeoff which must be evaluated.  The fact that my 
> option doesn't catch the problem until the DNS lookup has already happened 
> is significant, and I've been thinking it should be documented.  The option 
> could also cause mysterious problems in applications that don't always do a 
> DNS lookup (bittorrent, perhaps?).

Not necessarily -- the warnings are for when you use socks4 or the wrong
variant of socks5, not for when an IP address is given to Tor rather
than a hostname. So it doesn't affect this if the application sometimes
resolves it and sometimes doesn't.

> OTOH, in most cases, users would 
> presumably not make their very first connection to a sensitive site after 
> installing a new app or changing a configuration.

True.

> And, of course, it could be a significant advantage to have proactive 
> rejection of potentially dangerous connections rather than leaving a log 
> entry which may go unnoticed.  Users are notoriously bad about auditing log 
> entries.

Also true.

I had originally thought to merge TestSocks and this new variable, so
we have for example a tristate "ignore", "warn", "reject", but TestSocks
is more than just "ignore or warn", as I describe above.

So I propose that we add a new config option SafeSocks that does as you
describe -- when set to 1, it refuses connections that are using the
unsafe variants of socks. It defaults to 0. Sound like what everybody
wants?

--Roger