Anyone tried XeroBank (formerly Torrify)

Thor,

Keep the wishlist coming. We're taking notes.

Steve

 

FRAAAAAAAAAAAACKKKKKKKKKKKKK!!!!!!!!!

I just did the Shockwave Flash test while using XeroBank browser and Tor network!!!!!!!

This is fracking amazing!!!!!!!

And while I was able to prevent the Java trick from working, the Flash trick it's also working, too!!!!

However, the Outpost firewall rules are again preventing Firefox.exe from sending your IP back to the origin site. Paranoid's rules preventing direct connection while running the browser.

Look!

http://evil.hackademix.net/proxy_bypass

Follow all those steps:

- Allow the domain evil.hackademix.net - Noscript whitelist, in order to run Flash contents.

- Turn off the firewall.

- Two IPs will be listed:

Public IP:
Your Tor IP. Example: 78.40.100.94

Real IP:
204.39.31.12 (from your Internet Service Provider)

And I only performed that test because the Flash plugin was already installed on XeroBank!

This is the first time Steve have installed this plugin by default! I tried to remove from here, and failed. So I did the test!!!!! This was not planned before! I discover by accident!

If you let the firewall activated with that set of rules, even by allowing the domain to run all kinds of scripts, your true IP will not be leaked. The page will not load and leak your true IP!

That page
http://evil.hackademix.net/proxy_bypass

Will not succeed to load and send back your ISP IP if your firewall is enabled!

My Outpost log says:

Blocked Connections:

Firefox.exe (from xB Browser)

Direction: OUT REFUSED
Protocol: TCP
Remote address: 82.103.140.144
Remote Port: 9999
Reason: Block All Activity

Well, this is getting interesting!

This reason "Block all activity" was my firewall policy to block everything not allowed manually by myself!

So, if I understand correct, a sealed xB Browser should prevent outbound connections to ports 80 (HTTP) and 443 (HTTPS) used by that Java trick and the remote port 9999, which seems to be the port always used by that Flash trick (and I mean it - it always use the same 9999 port).

If there's a way to block all those three remote ports, the free browser will be sealed for good and nothing will leak. Unless someone finds a way to connect them using a different port instead.

You see, the remote address 82.103.140.144 is from the domain hackademix.net itself!

Push the whois button from here and you will see the origin of each IP:
http://network-tools.com/default.asp

And I don't know where do I have to configure to force Flash to not make direct connections, using Firefox browser!

I was able to solve that problem with Java, but there is no sign of any Flash program anywhere!

Assuming Firefox.exe (from xB Browser) is only connecting through the remote port 9050, the browser should be recompiled to perform only connections by using this specific port (along with Tor.exe), and ignoring all requests to use different ports, by any kinds of plugins and other threats. Unless there's an idea of remaining a hybrid (anonymous and not anonymous).

At least the Flash plugin could be blocked and ignored for most of sites out there.

There's another thing I must say!!!! Since the new xB 2.0.0.10a version (now updated to 2.0.0.11 - see the newest Firefox report) - this problem is not happening anymore. At least, after a dozen times, I am not seeing any signs of the same messages from crashes, which is very unusual:

Post #146 - crashes while starting xB Browser - click here for more info

You see? I told you!!!!!!! This was probably fixed in the last two updates. There's a corruption memory description from Mozilla (bug fixed) who should be related to my situation (that lasted until xB 2.0.0.10 arrives).

http://www.mozilla.org/security/announce/2007/mfsa2007-38.html

This is great, because it was an old problem never solved (until now).

 

I use Anonymizers Total Net Shield and it failed, my real IP showed up!!!

I couldn't believe it. I will have to send them an email.




I just made some adjustments with Firefox NoScript and it couldn't detect my real IP address now. This is a good site to send someone who thinks they are anonymous.

 

Turn on your firewall, now!!!

It's the only way to avoid this from ever happening again!!!! Unless someone has invented a browser which ignores all possible attempts to make direct connections, or it's using an entire system unable to leak anything (xB Machine and related) this is a major threat.

Avoid your true IP from being leaked!!!!

This is very simple. You just have to set these rules for your Firefox browser. I am using the Outpost firewall.

* * * * * Firefox.exe rules * * * * *

Where the protocol is TCP
Where the direction is Outbound
And where the remote port is HTTP (port 80), HTTPS (port 443), 9999
Block It!!!!!

That's it! Keep the firewall enabled all the time! Now you may allow anything, Java, Flash, whatever, and your true IP will not be leaked.

You will also have to modify Java control panel - see this thread for more details.

These are Paranoid rules regarding Tor.exe file

The problem with Flash is the fact that there's no control panel to modify the way it tries to bypass Firefox settings. You can't just block everything just to avoid being caught (the way some people were suggesting on this thread).

The most logical course of action is to keep running these plugins, but avoid them from leaking, by blocking their attempts of send the true IP back and bypass the browser settings (the browser should be doing this work, not the firewall!!!!!).

The problem is very obvious: Firefox browser was not designed to connect into a single remote port (9050) and will connect into all other ports if asked.

 

Jim,

The browser would have to start being merged with a firewall, controlling programs outside of the browser, and that would require administrative access and a reboot to run the browser.

I designed a new function to force the java settings you suggest. I strongly doubt flash will read or respect those settings, BUT, this *should* address the issue of leakage from java applets.

 

Has anyone ever tried the NoTrax browser? It completely disables everything like Javascript, Flash, ActiveX, etc. It isn't a functional browser as much as IE or FF but it gives the best protection when it comes to privacy. You can run it through a proxy too.

 

Steve,
if you type aboutlugins on your navigation bar, you will see all plugins installed and being loaded by xB Browser. Flash is one of them.

I am not aware of any other ways and threats to leak true IPs while using the xB free browser, instead of these two tests related before. And even if such ways exist, you have to admit that they are less threatening than Java and Flash.

The possibility of someone being caught by that Java trick is very, very much higher, because you can't block every single website out there from running Java. Java is the most used script in the world.

However, Java can be restricted, if you take the time to modify Java Control Panel. Java is a separate program who might be controlled and modified to perform connections via proxy.

Flash is not a separate program, and because of that, is acting alone, inside the browser, like a virus.

The first test to leak your true IP uses Java and/or Javascript.

Javascript can't leak your true IP because is built inside the browser, and according to Paranoid2000, he never came across to any Javascript code who might bypass the browser settings.

The issue here is simple. You have configured Firefox one way, and the plugins - merged with Firefox - are telling Firefox to make these connections by another way.

Firefox can make outbound connections using any ports, if they are not blocked or restricted by firewall rules (or perhaps by your router?).

So, the most logical thing to do is to modify the entire Firefox source code (which is something that very advanced users should be willing to do) in order to never have the ability to send outbound packets using any remote ports, other than 9050 - which is the only one required to connect into the Tor network.

I have done another test here. Once I have blocked all remote TCP ports including 9050, XeroBank was not working anymore. The minute I released the remote port 9050, it starts working again. All other ports were blocked:

1-9049, 9051-9999 - blocked

Unless you are telling me that one of these tricks can also uses the same 9050 port. If this can be done, we don't have any choice.

But I can't see how that Flash trick may be modified by the webmaster to connect to another port instead of 9999.

Frankly, I am not upset because I have to turn on my firewall every time I am using the free xB Browser. I am just concerned that someday a mistake can be done and by accident, any data being leaked without my consent.

I think you're missing the point. We are all able to block every plugins anytime. The problem is, we need them running most of the time. You may be able to block all cookies. But how you're going to use most sites out there? If you do that, you're being cautious (to avoid malicious codes from unkwown sites), but on the other hand, you're not being smart from a privacy perspective.

You see, I don't need Flash installed here. I am able to use 99% of sites out there without allowing this kind of script. But I can't say the same thing about Java. If you don't allow Java sometimes, the entire website can't work and I don't have a choice. Of course, this is not a general rule, but it's the way they are developed.

And once Flash is installed, I don't see any option here to remove it (that's why I didn't installed before - now that Steve have installed already, I have done that test).

This is a problem since Noscript don't make exceptions - if you allow a single domain on your whitelist, every kinds of plugins will be allowed to run.

 

You are confusing Java (runtime) with JavaScript (scripting language). The former is seldom used in the web, usually in the form of applets. Javascript is used almost everywhere and it's the heart of Web 2.0

 

Oh-oh. Lots of mistakes here.

To uninstall Flash, access that page:

http://plugindoc.mozdev.org/faqs/flash.html#win-uninstall

I have done here and reinstalled again. See this FAQ above for more details. Unfortunatelly, there's no mention of a way to modify Flash to perform only proxy connections.

I was telling that I didn't need it Flash, and after it was uninstalled, I was visiting a website here (in order to see what was going to be showed on TV next days, something I was planning to see even before this Flash test was done). The site is entirely done using Flash, so I didn't have any choice, but allow it (or use my non-anonymous browser to visit it).

And to correct myself, when it comes to Flash, I learned that there's no way to correct this leakage. Unless I am mistaken.

http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

I was reading what the guy has said before. Listen to this!!!!! I am quoting his words.

The guy was just explaining that he developed a code to connect into the port 9999, so if he is able to do something like that, he can modify the same code to make Firefox to connect into the same (and only) port required into the Tor network.

And if the Flash trick can do that, we are all doomed if we allow Flash to run, since the firewall will not block this remote port (9050), because is needed to use with Tor network.

 

XerBank disables all of those by default. And it connects directly to tor. I downloaded NoTrax just to see what it was like, and my antivirus went off. I think it showed it as a trojan.

 

I wish I understood what this, but I do not have a clue as to what all of that means, hehe.

 

He's saying turn on your firewall. Any firewall, other than the Windows firewall.

 

Good news, I think I found the solution for this problem!

According to Paranoid2000, these are the rules to be applied to your firewall, in order to prevent that Flash trick from working (and all other plugins like Java).

The Outpost Firewall forum have a thread about this.

Click here for more details

Browser rules - Firefox.exe from XeroBank's directory

The first rule is called "Special Rule" and should be inserted before the other rule.

* Type localhost instead, and the firewall will change the word to the address 127.0.0.1.

The second rule is called "Browser Block Direct Access":

You see, the second rule is blocking all outbound connections going through all ports. You just have to not specify numbers! And then, the first rule is allowing connections through port 9050 (used by Tor network), but only if they are going through localhost/127.0.0.1.

That means, if that Flash trick tries to connect into the remote port 9050, will not succeed, since it's trying to send back your true IP to a different remote address other than localhost!

Just to finish this matter, I would like to have that Flash source code from that website:

http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

Modified to perform connections using the port 9050. And then, if it's still logged as a blocked connection, I will be 101% sure. For the time being, I am well pleased that I find some answers and ways to stop these threats, even by myself. I don't know if such thing would be possible if wasn't for Wilders Security.

 

Jim,

Please stop posting firewall rules here. Those have nothing to do with this thread, it dilutes the value of the information and makes it hard for others to see.

Additionally, we tested the java code that sets specific proxy rules, and java applets can still bypass it if it is in their code. That hacker.org site just isn't a very well-coded applet, I guess. So the upshot is the code will keep non-malicious applets from telling on you, but wont keep malicious ones from it. The user will still need xB VPN or a firewall of any sort.

Steve

 

We just added support for concurrent instances of firefox. You can now run xB Browser with an additional firefox open at the same time if you like. This is made possible because we have gotten rid of Torbutton. Now we will need to add a theme to xB Browser so no one can visually confuse it.

 

Steve, You have the patience of a saint. Jim is hyper-excitable and often wrong and says in 37 paragraphs what can be said in two sentences.

 

All sites out there can't see our true IP (behind Tor) if we block all plugins from being executed in the first place.

The only way they can find out your true IP is by running any threatening scripts who are actually bypassing and ignoring the browser settings. It depends of using the correct code to do that. Most of internet tests out there (gemal.dk for example) can't find your true IP, because the webmasters don't know the correct codes, described here on this thread.

Of course the most fanatics/paranoids (and not smart) will say: "Never allow any sites to run scripts", but that's not the answer and final solution for this problem. If we do that, we can't use most of sites out there. It's better to stay on a bunker, instead of live like that.

Everyone should be entitled to run any scripts, but at the same time, take the correct measures to prevent them from harming the browser and leaking their true IP. And the only way we can do that is not by blocking them, but prevent them from working.

We need to configure our firewall to avoid these attempts. And if you take time to read this whole thread, you will see I finally did that on my last post, with that correct set of rules. Unless there's another way to leak the true IP that I am not aware of.

That being said, I am finally protected against any attempts to leak my true IP.

It doesn't matter if were necessary 37 paragraphs or 37.000. This is not my problem, it's something that bothers people using Tor since Torpark browser has arrived on 2006!

I remember the time Steve had his personal board, every single day people were asking the same questions about leaking their IP allowing plugins. Of course that time no one developed a code that is actually showing your true IP behind Tor, and no one was trully concerned about it. Why be concerned about something that was just a theory?

I thought this didn't even exist! One year later, someone finally prove I was completely wrong!

No one on this thread is concerned about this because it's already using paid services, or different ways to avoid this leakage, including Steve. It's easy to be a saint if you live on the paradise.

Considering that Firefox was not designed to behave the way I want it, my firewall is my only friend here. Period.

Then, I will say this for the last time:

- Use the correct set of rules on your firewall (see all my posts and you will find what are the required rules).

- Never turn off your firewall while you're using XeroBank browser (free version), relying on Tor network. Unless you want to leak your true IP.

 

Jim, I admire your tenacity. Your enthusiasm has brought to light an interesting and very important issue. One that isn't new, and has previously been addressed in the Tor documentation. Your revelations are not new. They are valid, but not new.

Simply put, there is a good chance that your IP address may be leaked if you allow plugins, and more specifically both Java and Javascript, full access in the browser. People need to know that. It's a huge hole.

The default XB broswer settings, however, have never leaked my IP. Never. Never.

I disagree wholly with your notion that much of the web is crippled by disabling JS and Java. I'm not saying it isn't true, I am saying that this has never been an issue for me. The sites I access don't use Java and JS. And on this score, that is a personal choice. If you want to put your foot on the railroad track with the train coming and expect some measure of safety that your foot won't be liquified, that's your business.

Further, the tests you refer to are not new. Many of these I personally examined last Summer. Google is your friend, and these were easily found. I found them ran them, noted the fact that my IP address wasn't being leaked and moved on.

Essentially you want your cake and eat it too. For many of us, it's a given that for maximum safety, you will disable plugins, Flash, Java and Javascript.

If you choose to ignore default safety, then you have a whole other can of worms for which you will need protection.

 

Now that you mentioned, I took the liberty of seeing Tor's FAQ again.

Here's what they say about this.

I just wish someone have researched the way I did here on this thread ways to keep using all plugins, and staying anonymous, not leaking your true IP.

If your firewall is the only one who might provide this, why not seek out for this information? Since the browser can't behave the way I want it (allowing all plugins, but at the same time, stopping them from leaking your true IP).

I don't understand why some people on this thread are fighting against my research. They should realize that most people are very ignorant about what we are discussing here and will activate plugins, ignoring default blocks placed by Noscript/xB Browser, in order to use most sites out there, relying on Java and Flash.

And if they do that, not using a firewall with the correct set of rules, they will be caught, sooner or later. If XeroBank free browser, relying on Tor, can't provide this kind of protection, why not spread this information about the firewall?

You see, I was the only one (and Paranoid2000, which I am grateful) who instist on seeking the correct firewall rules to block all plugins from leaking this information (about your true IP). And I did it! At least, I think I did it.

I am sick and tired of hearing everyone saying to disable all plugins. Let's keep them activated, and fight against their attempts to leak our true IP! If we keep disabling (and not modifying the way they work), we will perpetuate ignorance.

http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-d50c7b193535267379bbb778a5d69063455b7f19
https://www.torproject.org/download.html.en#Warning

 

We've got additional updates. I think we're going to push xBB 2.0.0.11 just so it fixes one annoyance that cropped up. It will also include the java proxy soft management.

Steve

 

TOR exit-node doing MITM attacks

TOR exit-node doing MITM attacks

Just stumbled over this:

http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attacks/

Highlights the inherent downside of an open structure like Tor. Anyone can be, and sometimes IS, operating your Tor nodes. Significantly more dangerous and real than leakage of ones true IP info.

Clearly, any solution might be compromised, but as I see it, the risk in making a judgement call on trusting for instance XeroBank is preferrable to the near certainty (imho) of routing my sensitive data through the hands of hackers, criminals and government agencies.

Cheers

 

Is there a dev blog or newsletter/RSS feed that interested parties can view as to the updated services, programs, or other tech news for the near future? That way people would only have to visit the site to download new files etc. instead of checking repeatedly for updates?

 

There was/will be. I used to do it on the Portable Privacy blog, but that will no longer be associated with xb. I've been informed that there will be an RSS feed that is directly fed into xB Browser. You'll be able to view it right in your bookmarks to see our latest posts or updates.

You know, that does count as a suggestion.

 

The new theme for xB Browser is done. Time to do a new release.

 

That's funny because I just downloaded a trial version of there product that has an antivirus (Nod32), anti-spyware, and Anonymizer. It did not reveal my true IP.