[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] wget - secure?



On 04/22/2012 01:25 AM, torsiris@xxxxxxxxxxx wrote:
> 
> Hi,
> 
> Is there anything to worry about if using curl with the below configuration?
> (I don't want to use a virtual machine)
> 
> Only debian-tor can go online:
> iptables -F OUTPUT
> iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
> iptables -A OUTPUT -j ACCEPT -o lo
> iptables -A OUTPUT -j ACCEPT -p udp --dport 123
> iptables -P OUTPUT DROP

Just to make sure, add explicit blocking of DNS at the beginning (might add -m
owner --uid-owner debian-tor if you want):

iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -j REJECT
iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -j REJECT

REJECT is IMHO better than DROP for outgoing connections, since you won't have
to wait for application to detect timeout.

> 
> curl is used like this:
> 
> curl --socks5-hostname 127.0.0.1:9050 -A "TBB's user agent" -C - -O
> http://download.testfile

Use --header to add any additional headers until your request has identical
headers to TBB (adding headers is easy, removing might be harder).

> I guess there is no way that curl can leak the real IP address. Any
> objections?

I can't say for sure, but it likely won't leak your IP for http/https protocols.
Only way to make sure would be thoroughly reading the source.

Ondrej

> 
> 
>> Hm, you're right, wget 1.12 does not leak DNS if you use http protocol. I
>> just
>> realized I tested it also with https when the leak happened (wget requires
>> explicit 'https_proxy' to use CONNECT for https even if you use the same
>> http
>> proxy).
>>
>> Ondrej
>>
>> On 04/19/2012 10:54 PM, torsiris@xxxxxxxxxxx wrote:
>>> Hi,
>>>
>>> I cannot confirm that wget (v1.12) is sending any DNS resolve when using
>>> it this way:
>>>
>>> wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -c
>>> http://download.test
>>>
>>> Wireshark does not show any UDP traffic.
>>>
>>> I will check out curl. I like the idea of not using a http proxy in
>>> between.
>>>
>>> Thanks for the post. :-)
>>>
>>>> On 04/18/2012 11:40 PM, torsiris@xxxxxxxxxxx wrote:
>>>>>> On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <mk@xxxxxx> wrote:
>>>>>>> On Wed, Apr 18, 2012 at 11:37, Robert Ransom
>>>>>>> <rransom.8774@xxxxxxxxx>
>>>>>>> wrote:
>>>>>>>> Which version of wget did you audit?  What information leaks did
>>>>>>>> you
>>>>>>>> check for during your audit?
>>>>> Hi,
>>>>>
>>>>> How can I check what information wget is transmitting? I used
>>>>> wireshark
>>>>> and filtered to see only the traffic sent from wget to localhost:8118
>>>>> but
>>>>> I'm not a network expert and I don't know how to interpret the data.
>>>>>
>>>>> Anybody has deeper network knowledge?
>>>>
>>>> I've just checked wget, it does leak DNS even with http_proxy
>>>> environment
>>>> variable set.
>>>>
>>>> How to check:
>>>>
>>>> 1. Run wireshark
>>>> 2. Select "Pseudointerface (any)" unless you know which interface to
>>>> look
>>>> at
>>>> 3. Put "dns" into the Filter field and click "Apply" button
>>>>
>>>> DNS is easy to spot since it's almost always going to UDP port 53
>>>> (exceptions
>>>> are really rare).
>>>>
>>>> Then you'll see what DNS queries your host did at the time (obviously
>>>> it's
>>>> best
>>>> to turn off any other program that could interfere in the measurement).
>>>>
>>>> These things can change on version-to-version basis of the same
>>>> software,
>>>> so
>>>> it's always best to check your actual version with wireshark.
>>>>
>>>> Though curl is much better than wget in all recent versions at least,
>>>> this
>>>> does
>>>> not leak DNS (--socks5-hostname is the important part; Tor SOCKS5 proxy
>>>> is
>>>> expected to run at port 9050):
>>>>
>>>> curl --socks5-hostname localhost:9050
>>>> "http(s)://somesite.wherever/rest_of_url"
>>>>
>>>> Ondrej
>>>> _______________________________________________
>>>> tor-talk mailing list
>>>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>
>>>
>>>
>>> _______________________________________________
>>> tor-talk mailing list
>>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>
>>
>> _______________________________________________
>> tor-talk mailing list
>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
> 
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk