LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 12-04-2012, 11:49 PM   #1
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Tor questions


I want to tinker with tor. I appreciate some feedback from a Slacker perspective about the following:

* Privoxy and polipo are no longer required

* The tor button is no longer required

* Slackers need only build and install tor and vidalia

* The current stock Firefox can be used and the special tor version of Firefox (tor browser bundle) is not needed

Questions:

Is vidalia required or desired? Can a user just configure the Firefox proxy settings to the tor SOCKS5 port 9050, edit torrc manually as needed, and be done?

Is a second profile for using tor required? Recommended?

My understanding is tor is faster than a few years ago. Would a caching proxy still help (squid, polipo, etc.)? If yes, can https be cached?

Are any special iptables rules required?

The tor button remains available as a Firefox add-on. I presume the purpose is to quickly toggle the proxy settings?

Thanks much.
 
Old 12-05-2012, 01:28 AM   #2
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,298

Rep: Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722
Quote:
Originally Posted by Woodsman View Post
* Privoxy and polipo are no longer required

* The tor button is no longer required
Any non-SSL pages that store cookies will transmit the cookie in plaintext. The first couple of tor relays won't be able to see this since the actual tor connection is encrypted, but the exit node would be able to sniff your cookies (though NOT for SSL sites since the header is encrypted as well -- but note that sites featuring mixed content may transmit your cookie in plaintext for non-SSL assets!). Using privoxy is still a good idea to remove these cookies entirely (you should not visit unencrypted sites over Tor while allowing cookies for that site, unless you are OK with your cookie being stolen and your session potentially hijacked). Torbutton has some ways of dealing with this (isolating Tor/non-Tor cookies, etc.). I personally do not use Torbutton (it doesn't tend to keep up fast enough with Firefox versions...), but avoiding Torbutton means you need to know how to prevent information leakage.

I use CookieMonster to manage my cookies -- I deny all cookies except those on a whitelist (and temporarily allow cookies when needed). It is OK to browse SSL-encrypted sites with whitelisted cookies over Tor (unless you're afraid that someone has the processing power to decrypt the connection), but you should avoid using Tor if you visit an unencrypted site that uses cookies.
Quote:
Originally Posted by Woodsman View Post
* Slackers need only build and install tor and vidalia
I do not use vidalia. I just use tor and FoxyProxy in Firefox to easily switch between tor/regular browsing.
Quote:
Originally Posted by Woodsman View Post
* The current stock Firefox can be used and the special tor version of Firefox (tor browser bundle) is not needed
This is true IF you know how to prevent information leakage and remain anonymous (that includes *how* you browse in addition to your settings).
Quote:
Originally Posted by Woodsman View Post
Is a second profile for using tor required? Recommended?
I don't use a second profile for tor; I just toggle it on/off when needed using FoxyProxy (more on that later). I am paranoid about security/privacy though, so my browsing state is less comfortable in the name of protecting those than some would allow. If you want a looser experience when not using Tor, a second profile may be a good idea.
Quote:
Originally Posted by Woodsman View Post
My understanding is tor is faster than a few years ago. Would a caching proxy still help (squid, polipo, etc.)? If yes, can https be cached?
I would be interested in knowing this as well.
Quote:
Originally Posted by Woodsman View Post
Are any special iptables rules required?
With any reasonable firewall setup it should Just Work. The connection is initiated from your computer and is all TCP, so if your firewall allows outgoing connections you're probably good. If you plan on setting up a tor relay though, you may need to alter your firewall (I just leech myself).

Even with the Tor bundle, you will not really be anonymous (or secure) by default...it took me a while to figure out how to prevent information leakage as best I can. Wireshark helps immensely (use Wireshark *without* Tor running to see what information the exit node would see if they were sniffing). I will describe my setup as briefly as I can.

First and foremost, install the EFF's HTTPS-Everywhere extension (the latest version works on the latest Firefox despite what their site claims). This will force SSL connections as much as possible (which is a good idea with or without Tor).

I also use noscript with the strictest settings. I only allow full URLs and not just domains or subdomains -- if you allow those, you will be allowing both encrypted and unencrypted assets from those domains (unfortunately I haven't found a way to deny unencrypted connections by domain). If you enable Flash or Java, you are NOT anonymous. Flash/Java will not be routed through Tor (or any other proxy) and your true identity will be visible. noscript allows you to forbid embeddings (including Flash/Java) so you can enable them on demand only (which you would ONLY do if you are NOT going through Tor and are willing to give up your anonymity). Javascript *is* routed through Tor, but clever scripts could wait until Tor is disabled before submitting information. It is best to close all tabs when switching to/from Tor to stop any potentially nasty scripts. It should be noted that a *lot* of information is accessible via javascript that could be used to fingerprint you. Slackware's Firefox reports a rather unique window.navigator.buildID property which significantly reduces your entropy, and that combined with a few other properties would end up giving you away. Fingerprinting is hard to avoid these days. Firegloves (a Firefox extension) is OK and may help, but when randomized it reports inconsistent data, and it undefines certain variables/objects that are a dead giveaway that you are spoofing this information (which can, ironically enough, be used to fingerprint you). I don't know of any other extensions to reduce javascript-based fingerprinting. I have myself been tinkering around and have a working preliminary extension, but it is far from usable in the real world and I have a habit of starting things and not finishing them...

As I mentioned previously, you will need to use a cookie manager. I use Cookie Monster myself. Using privoxy is a good idea as well to remove non-SSL cookies from headers. I don't know of any Firefox extension that allows you to allow cookies only from SSL sites.

A big problem with most encrypted sites, is that they rely on unencrypted assets. This includes this site. I do not personally surf LQ over Tor, but if you wanted to, then you should know that your cookie is transmitted over SSL and in plaintext -- so anyone sniffing could hijack your LQ account (unless you sanitize cookies with Privoxy). A good way to deal with this (and to prevent cross-site attacks and mixed content in general) is to use RequestPolicy. To browse this site, the only asset you need is
Code:
https://lqo-thequestionsnetw.netdna-ssl.com
By only allowing that asset, the site is still functional, but it is all encrypted -- so there is no leakage of your cookie (or what you are browsing, with the exception of the IP of the server). Using full addresses is annoying but it is the only way to allow only https assets. Unfortunately, using RequestPolicy with a sufficiently restrictive setup to preserve anonymity and prevent tracking means you will have a painful browsing experience. How far you go depends on how much you care about anonymity.

Calomel SSL Validation is a nice way of colourfully indicating whether mixed content is present. I believe (based on my testing anyway) it will only show mixed content warnings if loading assets that use javascript. RequestPolicy with full addresses will show you exactly what is being used, but it isn't practical to look at the menu for every site. Calomel is at least a nice way of seeing how at risk you are.

And finally, I use FoxyProxy to route through Tor itself (or to route through Privoxy which itself routes through Tor). Automatically enabling Tor for certain sites (or disabling Tor for certain sites) has drawbacks -- a site may load assets from elsewhere that end up giving away your identity anyway. I personally toggle FoxyProxy on/off entirely, meaning I use Tor for everything or not at all. Using the URL pattern * will enable Tor for everything. To enable Tor browser-wide, make sure the rule is enabled and select "Use proxies based on their pre-defined patterns and priorities". To disable Tor, select "Completely disable FoxyProxy".

That's a lot of information, and I cannot guarantee its correctness. I believe it is mostly correct. Other helpful extensions include Ghostery to avoid known trackers, Adblock Plus to disable ads (which are often tracked by the ad companies), BetterPrivacy (to deal with Flash cookies), and Smart Referer to prevent sending referer headers (there is also the more complicated RefControl, but I prefer Smart Referer myself). It is also wise to clear the cache on browser exit (which you can do through Firefox itself, no need for an extension) since cached content can be susceptible to timing-based fingerprinting and evercookies. I am somewhat pragmatic (despite what the rest of this post says about me) so I enable caching during browsing so visiting a site multiple times in one browsing session isn't completely painful, but I do clear the cache on exit. Disabling HTML5 local storage is probably a good idea as well (Foundstone HTML5 Local Storage Explorer is the only extension I've found that identifies these and allows you to clear them). It may be a good idea to spoof your User-Agent as well -- I use SecretAgent to randomize mine. However, there will be a mismatch between the javascript userAgent and the User-Agent sent in the header, which is a giveaway that you're spoofing. The only solution right now to avoid that is to just choose the most common user agent and set it explicitly in Firefox, which should change the javascript userAgent as well. This may or may not break sites that rely on browser detection, which is why I don't do this. It is better to explicitly set the User-Agent to whatever the Tor bundle says, since any server can detect that you're using Tor anyway -- if you use Tor with a unique user-agent (randomized or otherwise) it makes you unique.

[/essay]

Last edited by T3slider; 12-05-2012 at 01:39 AM.
 
8 members found this post helpful.
Old 12-05-2012, 05:26 AM   #3
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware -current, 14.1
Posts: 1,053

Rep: Reputation: 170Reputation: 170
Nice post, T3slider.

cheers,
 
Old 12-05-2012, 09:54 AM   #4
cwizardone
Senior Member
 
Registered: Feb 2007
Distribution: Slackware64-current & "True Multilib." PC-BSD.
Posts: 2,275

Rep: Reputation: 187Reputation: 187
Quote:
Originally Posted by Woodsman View Post
I want to tinker with tor. I appreciate some feedback from a Slacker perspective about the following:

* Privoxy and polipo are no longer required

* The tor button is no longer required

* Slackers need only build and install tor and vidalia

* The current stock Firefox can be used and the special tor version of Firefox (tor browser bundle) is not needed

Questions:

Is vidalia required or desired? Can a user just configure the Firefox proxy settings to the tor SOCKS5 port 9050, edit torrc manually as needed, and be done?

Is a second profile for using tor required? Recommended?

My understanding is tor is faster than a few years ago. Would a caching proxy still help (squid, polipo, etc.)? If yes, can https be cached?

Are any special iptables rules required?

The tor button remains available as a Firefox add-on. I presume the purpose is to quickly toggle the proxy settings?

Thanks much.
Yes, Tor is faster than it was a few years ago. It does on occasion bog down, but then click on "use a new id" and try again. This site does not like proxies, or at least Tor, and often won't let you on the board until you have gone through several IDs (relay servers) until you find one this site will accept.

Tor is a SOCKS proxy, but you can use it as a HTTP proxy and that requires either Privoxy or Polipo. If you download and use the Vidalia Bundle it installs and uses Polipo as needed.

The Tor people are very emphatic that you use only the Tor Browser Bundle and not use Tor and Vidalia separately. It can be done, I do it, but they do not recommend it and no longer make the Tor Button (for Firefox) available separately.You can find it, but is no longer recomended.

The latest version of the Tor Browser Bundle was made available for downloading just yesterday.

Yes, you can install Tor, Vidalia and Privoxy or Polipo separately ( I use the SlackBuilds) and configure other applications, such as Firefox, Opera, Pidgin, what have you, to use them, but, as stated above the Tor Project does NOT recommend it.
Using Thunderbird with Tor and trying to retrieve gmail just plain doesn't work anymore and that is more the fault of google than anything else. They play their little games and I play mine.

Last edited by cwizardone; 12-05-2012 at 10:09 AM.
 
Old 12-05-2012, 10:42 AM   #5
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I agree about using the bundle, it is better than using them separately.

I recommend that you understand how tor works very well before using it. There is NO end-to-end encryption, which is a potential vulnerability. Many tor proxies are run by the govn't, so I would be very careful using tor. Honestly, I would not use it unless absolutely necessary, and only in a country without too many laws. Make sure to use noscript or disable scripts completely, and be careful what sites you visit.

I trust freenet more than tor, even tho it is much slower.
 
Old 12-05-2012, 07:12 PM   #6
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Original Poster
Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Thanks much everybody for replying. So much information to digest. Please let me summarize my perspectives.

I have no doubt that every tor node is monitored. So the fact that I might be using tor is not a big deal because my goal is not hiding. In today's highly statist mindset, fortunately for me I'm not in any such position (yet? ) of needing to do that. If I had a need to avoid JBTs, I would not use my computer from home for certain tasks. That would be stupid. I'd use a laptop, continually spoof my MAC address, use only wireless access points, stay at one location no longer than 15 minutes, use tor, etc. That would be a lot of work and I'm glad I have no need to operate that way.

My goal and interest in tor is to monkey-wrench the insane social phenomenon of data mining and profiling people. Another goal is to mask my location when using certain services, such as IRC. There are more than enough nuts in this world that I prefer to mask my location in certain situations.

I'm aware that the tor encryption is incomplete and the packets are decrypted at each node. If I want to protect content, such as search engine requests or web mail, then I need to use https/ssl.

Overwhelmingly I run Firefox in a restricted mode. I use a cookies white list and block all other cookies. I use NoScript and maintain a small white list for JavaScript. I never allow Java to run in Firefox. I watch an occasional flash video from youtube or hulu with emphasis on occasional. I prevent all flash cookies. I block probably 99.99% of all advertisements. I block all iframes. I disable referer headers. I disable dom.storage.enabled. I disable geo.enabled. I prevent automatic updates. I spoof user-agents. Etc. I use a user.js file to avoid forgetting any of this. Many people would find such configurations unusable, but they serve my needs.

I know the way I have my browser configured is in itself a fingerprint of sorts and such information could be used to mine data about me. Yet if I mask my IP address at least part of the time through tor, then all people have is a fingerprint of "there is that user again." With tor, correlating that fingerprint to me becomes more challenging.

I know that cookies and JavaScript can leak data that can be used in fingerprinting. I know that JavaScript can be used to detect when a user is spoofing user agents and that kind of thing. Do I care? Probably not. My goal is to monkey-wrench the overall data mining effort and not to hide.

With that said, I'm thinking privoxy will not offer me much because I already use a cookies white list. In other words, those few places where I allow cookies are places I'm not worried about.

The FoxyProxy add-on seems like a quick enough way to toggle tor usage. I realize that using tor in such a manner means I need to be aware at all times of what I am doing. I'm realistic enough to admit that forming such new habits is a challenge and I lose some degree of inconvenience. Another option is to use a different Firefox profile for certain web tasks or use a different browser. Again, habits and convenience play a role.

Because of the restricted way I already use Firefox, and because my goal is to monkey-wrench data mining, sounds to me I only need to install tor and FoxyProxy. Granted, there remains much to learn and until I master all of the quirks undoubtedly there will be times when I leak data. Yet overall, such leakage will be insufficient to help anybody.

I don't know whether web caching will help. I will have to play with tor for a while before I get a feel for how the tor network responds. I am aware that the process of caching could be used to create fingerprints. Yet again, I'm not hiding, I'm monkey-wrenching.

Quote:
If you enable Flash or Java, you are NOT anonymous. Flash/Java will not be routed through Tor (or any other proxy) and your true identity will be visible.
I never use Java in a web browser so that is not a concern. I remain confused how watching flash videos leak data. I can see how that happens when flash cookies are allowed, but I have my system configured to prevent flash cookies. Is location leakage possible just by watching flash videos? I realize JavaScript is required at most (all?) web sites hosting flash videos. Is that how location information leaks?

Quote:
Slackware's Firefox reports a rather unique window.navigator.buildID property
What then is a preferred way to rebuild Firefox to avoid that property? Would using the prebuilt Firefox binary avoid the problem?

Quote:
Firegloves (a Firefox extension) is OK and may help, but when randomized it reports inconsistent data, and it undefines certain variables/objects that are a dead giveaway that you are spoofing this information (which can, ironically enough, be used to fingerprint you)
As my goal is to monkey-wrench rather than hide, simply masking my IP address with tor is good enough. That the end web site can tell I'm spoofing data is fine by me just as long as they can correlate those efforts to me or my location.
 
Old 12-05-2012, 09:26 PM   #7
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,298

Rep: Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722
Quote:
Originally Posted by Woodsman View Post
I have no doubt that every tor node is monitored. So the fact that I might be using tor is not a big deal because my goal is not hiding. In today's highly statist mindset, fortunately for me I'm not in any such position (yet? ) of needing to do that. If I had a need to avoid JBTs, I would not use my computer from home for certain tasks. That would be stupid. I'd use a laptop, continually spoof my MAC address, use only wireless access points, stay at one location no longer than 15 minutes, use tor, etc. That would be a lot of work and I'm glad I have no need to operate that way.
I'm in a similar situation, so I haven't been fretting very much over the information leakage I have found, though I have been noting it as I find it.
Quote:
Originally Posted by Woodsman View Post
I know the way I have my browser configured is in itself a fingerprint of sorts and such information could be used to mine data about me. Yet if I mask my IP address at least part of the time through tor, then all people have is a fingerprint of "there is that user again." With tor, correlating that fingerprint to me becomes more challenging.
The problem comes when visiting the same website with/without Tor -- you leave the same fingerprint, and now even with Tor they can guess your real IP. Or, if you want a conspiracy theory, multiple sites could be pooling fingerprint data, making you more vulnerable to fingerprinting. Unfortunately there really is only so much you can do to prevent fingerprinting...
Quote:
Originally Posted by Woodsman View Post
I know that cookies and JavaScript can leak data that can be used in fingerprinting. I know that JavaScript can be used to detect when a user is spoofing user agents and that kind of thing. Do I care? Probably not. My goal is to monkey-wrench the overall data mining effort and not to hide.
The cookie leakage is an issue in fingerprinting, yes, but the real problem when using Tor is that malicious exit nodes could sniff your cookies and hijack your session -- they still may not know who you are (beyond whatever your cookie represents), but they could steal your account and spam or change your password etc. When using Tor, the cookie issue is probably the most important in my opinion -- there are other issues that may reduce your anonymity, but this one has the potential for a security breach.
Quote:
Originally Posted by Woodsman View Post
Because of the restricted way I already use Firefox, and because my goal is to monkey-wrench data mining, sounds to me I only need to install tor and FoxyProxy. Granted, there remains much to learn and until I master all of the quirks undoubtedly there will be times when I leak data. Yet overall, such leakage will be insufficient to help anybody.
Definitely install Ghostery if you want to prevent data mining. This has nothing to do with Tor, but it pretty seamlessly gets rid of tracking authorities.
Quote:
Originally Posted by Woodsman View Post
I never use Java in a web browser so that is not a concern. I remain confused how watching flash videos leak data. I can see how that happens when flash cookies are allowed, but I have my system configured to prevent flash cookies. Is location leakage possible just by watching flash videos? I realize JavaScript is required at most (all?) web sites hosting flash videos. Is that how location information leaks?
Flash has access to font lists and some other system data that can be used to uniquely identify your machine. Additionally, Flash will not go through a proxy so if you visit a Flash-enabled site over Tor (unless you block Flash), the Flash object could send your real IP to the site (which negates using Tor in the first place). Basically, if you have Tor enabled don't use Flash. Toggle Tor off if you wish to watch Flash videos.
Quote:
Originally Posted by Woodsman View Post
What then is a preferred way to rebuild Firefox to avoid that property? Would using the prebuilt Firefox binary avoid the problem?
I have no idea if this will actually change the configuration (I haven't tried it), but the value is stored in browser.startup.homepage_override.buildID in about:config. You can probably just change it to something more common (either the buildID of stock mozilla Firefox or the buildID of the Tor Bundle, which is 0). Firegloves sets this to undefined (though note that Firegloves *will* break a lot of websites...I am not happy with that extension).

In my opinion, it is currently not possible to completely anonymize Firefox, with or without Tor (or the Tor Bundle). You can only do your best after being informed. If the Tor developers cared about anonymity they would ship a more anonymous (but less usable) configuration in the Tor Bundle. Unfortunately they care more about mass adoption and end up giving people a false sense of anonymity when there are very clear ways to fingerprint and identify users when using the default (or any) setup.
 
3 members found this post helpful.
Old 12-05-2012, 11:23 PM   #8
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Original Poster
Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
The cookie leakage is an issue in fingerprinting, yes, but the real problem when using Tor is that malicious exit nodes could sniff your cookies and hijack your session -- they still may not know who you are (beyond whatever your cookie represents), but they could steal your account and spam or change your password etc. When using Tor, the cookie issue is probably the most important in my opinion -- there are other issues that may reduce your anonymity, but this one has the potential for a security breach.
Okay, slowly this is sinking into my thick skull. When using tor and cookies are not involved, no problems. But use ssl as often as possible to encrypt content. When using tor and cookies are involved, then use ssl only or don't use tor. Second, based upon the presumption that all tor servers are monitored/sniffed, not using ssl opens the doors to compromising user accounts, even simple accounts such as discussion forums. General summary: for operations where ssl or cookies are desired, then don't use tor.

I just looked at my cookies white list. Most of the sites are discussion forums. Let's start with an example: LQ. I already use ssl with LQ. You mentioned third party sites --- assets. I understand that part, but do the LQ cookies include information from the asset sites? When I look at my cookies list I only see linuxquestions.org and no third-party sites. If yes, then you mentioned sanitizing certain cookies with privoxy. How?

Quote:
Definitely install Ghostery if you want to prevent data mining. This has nothing to do with Tor, but it pretty seamlessly gets rid of tracking authorities.
I'm unconvinced ghostery will help me because I'm so aggressive already in denying so much. I'll look anyway.

Quote:
Flash has access to font lists and some other system data that can be used to uniquely identify your machine. Additionally, Flash will not go through a proxy so if you visit a Flash-enabled site over Tor (unless you block Flash), the Flash object could send your real IP to the site (which negates using Tor in the first place). Basically, if you have Tor enabled don't use Flash. Toggle Tor off if you wish to watch Flash videos.
Makes sense. I don't do a lot of flash anyway.

I don't think flash has access to font lists unless JS is enabled. Then again, I don't think there is a single web site that provides flash unless JS is enabled. On the other hand, my strategy for flash cookies prevents them from being created on my system, not to mention that I map the ~/.macromedia and ~/.adobe directories to tmpfs.

So viewing flash probably means revealing an IP address? I suspect an old fashioned proxy server won't work because to conserve bandwidth most proxies probably don't allow multimedia.

Quote:
I have no idea if this will actually change the configuration (I haven't tried it), but the value is stored in browser.startup.homepage_override.buildID in about:config.
Sounds to me that any person spoofing user agents should ensure the buildID matches or at least null the contents of that property. Do you know when or where that string is sent?

Quote:
In my opinion, it is currently not possible to completely anonymize Firefox, with or without Tor (or the Tor Bundle).
Okay. I'm not surprised. So using tor provides a degree of anonymity but a careless person could negate that effort when using Firefox.

Question:
Is there an /etc/torrc option to limit the number of nodes? If my primary purpose is to mask my IP address, then I don't need the normal tor circuit. Just one or two nodes I would think.
 
Old 12-06-2012, 01:11 AM   #9
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,298

Rep: Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722
Quote:
Originally Posted by Woodsman View Post
I just looked at my cookies white list. Most of the sites are discussion forums. Let's start with an example: LQ. I already use ssl with LQ. You mentioned third party sites --- assets. I understand that part, but do the LQ cookies include information from the asset sites? When I look at my cookies list I only see linuxquestions.org and no third-party sites. If yes, then you mentioned sanitizing certain cookies with privoxy. How?
See here, section 6.4 for a brief note. Some sites include assets from the non-SSL version of their site if they haven't made all of their assets available over SSL. For example, they may include an image or CSS file from the non-SSL version of their site. Every cookie manager available for Firefox just looks at the domain and not the protocol -- so the cookie will get sent with the request for the non-SSL image. noscript tries to patch this (if enabled) by forcing the ";Secure" flag, but I'm not sure how well this actually works. In theory, third-party cookies shouldn't be sent, but a clever attacker running an exit node could inject code into non-SSL pages that intentionally includes third-party assets (for which you may have a cookie) in an attempt to harvest other cookies. Google 'sidejacking' for more info. Privoxy is only able to modify non-SSL pages, so configuring privoxy to remove cookies from the header will effectively kill all non-SSL cookies while leaving the SSL ones intact. Of course, if you wish to visit a non-SSL page that does require cookies, my advice would be to toggle off privoxy/tor and just visit it normally (unless you want to risk hijacking). I'm the wrong person to ask about privoxy configuration, but briefly, you can set privoxy to route through Tor (there are examples in the privoxy config file), so instead of setting FoxyProxy to route through Tor, you set it to route through Privoxy (which would presumably be running on another port) which then automatically routes through Tor. Unfortunately privoxy stalls and does literally nothing for me on Slackware 13.37 and I haven't looked into it further. I make sure not to load non-SSL assets for which I have a cookie when using Tor (made possible by my overly zealous RequestPolicy settings).
Quote:
Originally Posted by Woodsman View Post
So viewing flash probably means revealing an IP address? I suspect an old fashioned proxy server won't work because to conserve bandwidth most proxies probably don't allow multimedia.
That is a true statement regarding the capabilities of proxy servers, but Flash's problem really stems from its inability to go through a proxy at all. Flash does its own thing and won't route through Tor (or another proxy) since it doesn't obey Firefox's proxy settings. You can blame Adobe for that, though using Flash over Tor (or another proxy) would probably be too painful anyway.
Quote:
Originally Posted by Woodsman View Post
Sounds to me that any person spoofing user agents should ensure the buildID matches or at least null the contents of that property. Do you know when or where that string is sent?
The buildID can be checked via javascript's window.navigator object. If you open the scratchpad (Tools>Web Developer>Scratchpad), the following code will pop up the current buildID:
Code:
alert(window.navigator.buildID);
(Click Execute>Run to run it.) This page lists the various navigator properties freely available to javascript scripts (note that some of the weirder ones don't exist in desktop Firefox).
Quote:
Originally Posted by Woodsman View Post
Question:
Is there an /etc/torrc option to limit the number of nodes? If my primary purpose is to mask my IP address, then I don't need the normal tor circuit. Just one or two nodes I would think.
Tor will always use at least three nodes by design (so no node will know both where packets are coming from and what they contain, though the first will know the former and the last will know the latter [unless encrypted with SSL]). It may be possible to restrict the number to exactly three but I don't know how to do it. If you just want to mask your IP a regular proxy would do, but using Tor is probably easier than going through long lists of proxy servers (and the risks would be the same).
 
1 members found this post helpful.
Old 12-06-2012, 02:38 PM   #10
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Original Poster
Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
See here, section 6.4 for a brief note. Some sites include assets from the non-SSL version of their site if they haven't made all of their assets available over SSL.
Ah. So the problem is third party cookies, which I never allow.

Quote:
The buildID can be checked via javascript's window.navigator object. If you open the scratchpad (Tools>Web Developer>Scratchpad), the following code will pop up the current buildID:
Okay, so this is a JavaScript-only leak. I wonder why this information would be useful or valuable to any web developer?

Quote:
Yes, Tor is faster than it was a few years ago. It does on occasion bog down, but then click on "use a new id" and try again.
I presume selecting "use a new id" is done using Vidalia?
 
Old 12-06-2012, 03:15 PM   #11
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,298

Rep: Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722
Quote:
Originally Posted by Woodsman View Post
Okay, so this is a JavaScript-only leak. I wonder why this information would be useful or valuable to any web developer?
It isn't really. It may be useful for Mozilla on their site, but it is kind of stupid to make that information available everywhere.
Quote:
Originally Posted by Woodsman View Post
I presume selecting "use a new id" is done using Vidalia?
If you use Vidalia you can get a new identity. If you don't, then you can use the tor control protocol (if you turn it on). See here. After following the info on how to enable the control protocol, you would want the "Switch to new circuits:" info which would do that for you. If you don't want to use vidalia you could script this.
 
1 members found this post helpful.
Old 12-06-2012, 08:29 PM   #12
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Original Poster
Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
Slackware's Firefox reports a rather unique window.navigator.buildID property....
This can't be cleared or reset through user.js or prefs.js. I can clear only through about:config.
 
Old 12-06-2012, 09:16 PM   #13
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,298

Rep: Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722
Quote:
Originally Posted by Woodsman View Post
This can't be cleared or reset through user.js or prefs.js. I can clear only through about:config.
It may be inherited from /usr/lib{64}/firefox-version/platform.ini, but I haven't tested to see if changing it will actually change the value system-wide. The only other way to change it, as far as I know, is via an extension that intercepts the window.navigator.buildID property (and the only one I know of that does it is Firegloves, which has its own problems). As I briefly mentioned earlier, I have started writing my own extension which does this (in addition to some other stuff), but it is nowhere near ready for public consumption and I'm not sure if I will end up finishing it.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Netw LXer Syndicated Linux News 0 02-08-2012 12:30 PM
LXer: Tor Browser Bundle-Tor Goes Portable LXer Syndicated Linux News 1 09-02-2011 03:29 AM
TOR: traffic between my workstation TOR entry point really not encrypted..? john99 Incognito 3 11-11-2009 02:06 AM
TOR-there seems to be no tor.pkg- what now? me-$-on Slackware 5 06-06-2008 12:08 PM
Questions about Tor and Blossom Drivx Linux - Software 9 11-12-2007 08:52 PM


All times are GMT -5. The time now is 04:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration