Critical Tor flaw leaks users’ real IP address—update now

Discussion in 'privacy problems' started by mirimir, Nov 6, 2017.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    Tinfoil Chat ;)
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,866

    We have had a few of those my friend! [smile]
     
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    98
    Location:
    Some country in the European Union
    Yes, smtp wasn't designed with security and privacy in mind.

    You can always set up your MTA yourself. Yes, I know it is a bit technical. Indeed, it needs a little more knowledge to run reasonably secure (by security in this place I mean measures against remote code execution) and spam-resistant MTA than to run secure www server, because email is decentralized, but it's doable. You won't get strong crypto by any means by that unfortunately.
    I know email have some flaws, but I still enjoy reading mailing lists and I feel a lot more secure on them rather than surfing the WWW.
     
    Last edited: Nov 11, 2017
  4. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    244
    Yea, SMTP/IMAP/POP/HTTP/FTP and several several other protocols were never designed with
    privacy in mind because they were all invented in the innocent age and nobody tought that things like encrypting these plaintext protocols would someday (now) be needed.
    So that's why we now have all these encryption layers duck taped over the old protocols.

    I would just love to see the day when I could enforce all the encryption goodies in my mail server.
    http://www.postfix.org/TLS_README.html

    But because I still have to worry about that someone, somewhere is still using outdated server to
    contact my server that does not support encryption, the only thing I can do now is set the option smtpd_tls_security_level to "may" (equal to STARTTLS) ..... duh! :(

    Setting own e-mail server takes some time and effort but it only needs to be done once
    and only two times I had to touch the configuration again during the last 7 years. Once was to generate new self-signed SSL certificate. And second time was because there was some major change in postfix.

    These docs were massively helpfull when I started my own server:

    https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server
    https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server/SMTP_Authentication
    https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server/SSL_Certificates
    https://wiki.gentoo.org/wiki/Postfix/DKIM

    PS: Hmmmm.... I wonder, would there be an interest for really small, personal home e-mail box with as much stuff preconfigured, automatic self-signed SSL cert creation and easy to use GUI or WebUI for customizing own stuff (like passwords, usernames, domainname etc..) ? All the buyer would need is already registered domainname, preferable static IP (could be made work with dynamic IP with the help of DynDNS but then some servers will refuse to deliver) and some open ports.

    I could see this usefull for those who don't trust gmail, yahoo etc. and want to have their completely own e-mail and maybe also give access to their friends/family members too (of course the self-signed cert generated would need to be installed to their devices in that case)

    EDIT: Oh, and to BB (Big Brother) out there: If you want my PGP encrypted personal mail, you can talk to my lawyer and if you want to confiscate my box, well get a warrant buddy and also some time to decrypt my AES-256 drive ... :D
     
    Last edited: Nov 11, 2017
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    @Stefan Froberg I don't think you'll be able to do that without a hosting service of some kind. Most residential IP addresses are already on email blacklists and most ISPs will block the standard email ports.
     
  6. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    98
    Location:
    Some country in the European Union
    In my country most most ISPs block smtp port, but often one call to them to explain that I want use this port is enough to unblock it.
     
  7. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,027
    Whack a mole? You mean a repetitious and futile task. A hole is plugged only to reappear
    again somewhere else. What apps are bypassing TOR if firewall rules are in place?
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    None, I think. But there's no firewall with Tor browser, unless you add it. And for most users, Tor is Tor browser.
     
  9. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    The problem is not so much apps bypassing tor, as apps that can get the IP address of the TORed computer and forward it through TOR to an endpoint server.
    I have a suspicion that is what may happen with the file:// URL if it referres the browser to files on the host computer, not the web server.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    Apps can't get ISP-assigned IP addresses without bypassing Tor.
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,866
    So we have to decide or "pick our poison" on configuration. One thing that is always preached by TOR devs is to use a generic TBB (if you are using the browser) and keep the screen size at default size, etc..... The goal is to appear exactly as a generic TBB user where nothing makes you stand out in the crowd. Now if you add firewalls in the browser that will cancel the absolute generic user configuration. Hmmm?

    What about placing a UFW firewall set on the root of the linux VM and leaving the generic TBB alone? Websites would only see a generic TBB while the root VM firewall would block/stop anything leaving to NAT outside of TOR. Anyone, if this is how you are accomplishing your configuration would someone paste in some suggestions, which might be compatible with UFW? IPtables are not too bad but if UFW would handle it the solution would be easier to visualize. On many of my systems I have multiple TBB's sitting on a linux VM desktop so a general VM firewall would then handle all those TBB's from this leak. I know the VPN2 IP is not going to kill me but still if I can conceal it why not (from this leak)? I'll probably stick with Whonix mostly but lots of what I do is just reading around. I still want privacy though.
     
  12. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    98
    Location:
    Some country in the European Union
    RockLobster probably means reading IP address of NIC through OS API and sending it as content in 7th layer protocol. For example bash script can issue ifconfig/ip addr show and then sent output by netcat. Even if netcat TCP connection would be routed through Tor, IP addresses would be leaked.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    Yes, that's what I mean. In Linux, iptables. In Windows, Windows firewall. In OS X, pf.

    I mean, good VPN clients do it. So why not Tor browser?

    It's funny how some Tor devs have made fun of VPN services for being leaky, isn't it?
     
  14. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,866

    Are you using this example for someone running TOR on their actual host computer? I cannot visualize how this would work if a downstream chained linux VM, NAT'd to a clean linux host, was the system hosting the TBB. I can see where absent firewalls the VPN IP can be pwn'd, but not the native IP of the host.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    Well, that's not a very interesting IP address, unless you're wired direct to the Internet, with no router. And who in their right mind still does that? Even without VPNs and stuff, that'd show 192.168.1.155 for the host running this VM.
     
  16. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    98
    Location:
    Some country in the European Union
    Probably some uneducated users, who also can't write a few firewall rules
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    Seriously? What sort of consumer ISP assigns public IPs to users' devices?
     
  18. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    So if you type ipconfig into a cmd line window while using tor, the dialogue does not display your own local IP ?
    I'm not being facetious by asking that I really have never tried it, I just assumed the local IP remained as usual so therefore an app could get it from the system as easily as the user can.
    Edit: Didn't see the other new posts while I was typing this, ReasonablePrivacy described what I meant.
     
    Last edited: Nov 12, 2017
  19. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    I didn't test with tor, I'm on my android phone, so while connected to a VPN I can pull up my config and see two local connections, the tunnel to the VPN, and my usual ISP assigned, internet IP.
    So if the OS monitor app that I am using to view that config can get both, so can any other.
    Edit: I was speculating when I suggested that was what the file:// URL exploit was doing, I haven't really looked into it but I am going to now, what I do know is, file:// was supposed to direct the browser to open files on the host computer, not the web server.
     
    Last edited: Nov 12, 2017
  20. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    Ok scratch what I said,
    To point to files on the web server the URL is formed,
    file://domain/path/filename

    To point to files on the computer the browser is running on the domain can be localhost or omitted and the URL is formed with THREE slashes.
    file:///path/filename
    That will default to the computer the browser is running on.
     
    Last edited: Nov 12, 2017
  21. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    I would hope modern web browsers have been modified not to allow this stuff I'm reading right now.

    A file URL is hardly useful on the Web for the reasons explained above.
    Possible rare exceptions:
    You might really wish to link to a file which is assumed to reside on user's disk. But you would really have to know where it resides, so this probably only applies in a local network where computers are managed in centralized manner so that they are very homogenous. In such cases, you might even make it possible to launch applications, using URLs like file:///C|/W95/Calc.exe. Warning: file URL links to BAT files on PC's typically cause the file to the executed, not viewed! On the other hand, depending on the browser and its (security-related) settings, references to applications, command files etc might have to go through various checks, which perhaps ask the user for permission to execute them


    That URL above does appear to work, well, in my browser it does. It points to a directory that no one should have any more (windows 95) so it should be safe to click on it and get a 404 not found error. But still, there is surely something up with that, a URL can easily be disguised with a text, we do that all the time to make a link say "click here" or whatever.
    I wonder what it would do if that directory and file does exist.
     
    Last edited: Nov 12, 2017
  22. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    Moderators might want to know I didn't make that file url a live link it did it by itself, just pasting that text to the post made the file url into a live link.
     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    9,305
    Location:
    England
    I de-linked it for you RockLobster.
    In case you need to de-link something similar again, this post by LowWaterMark should be helpful about how to do that.

    https://www.wilderssecurity.com/threads/smilies-how-to-disable.362568/#post-2360806
     
  24. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,082
    I don't have the resources to test this right now, but I am wondering if clicking on a triple slash file url that directs the browser to the local computer resulting in a file not found error, might result in an error message containing the local ip being sent to the webserver that hosted the url.
    Anyone who has wireshark set up can easily test it. Post such a URL on a web forum (probably in a private message would be best) once it is posted, click on it.
     
  25. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    98
    Location:
    Some country in the European Union
    My ISP still provides modems. Of course routers also, but modems are still existient in their offer. Modem assign IPv4 address to connected device.
    Besides that router can be commanded to work in bridge mode insted of router mode.
    BTW Relying on ISP provided configuration, who isn't even aware you want be anonymous, to remain anonymous is not wise.
    There also IPv6 addresses. Although I don't have IPv6, I know that this new protocol wants to minimize use of NAT. It still has NAT, but it is not recommended. Instead ISP would assign 64-bit prefix to customer and every customer device would have its own public 128-bit IPv6 address based on it. Probably some ISPs would deviate from the standard, but not many I hope. From the network perspective, NAT is usually undesirable.
     
Loading...