Ok, here is the Tor Talk thread that inspired our one:Note: I have reformatted the thread such that it's slightly easier to read, and deleted extraneous replies that don't improve the context of the posts. Other than that the information is the same, apart from 1 post from a guy who accidentally posted in the wrong thread.Again, this is a technical subject, so the more eyes analyzing the information the better.-----Quote[tor-talk] wget - secure?#######################################################################Post #1torsiris at tormail.net torsiris at tormail.netTue Apr 17 18:27:03 UTC 2012Hi,I saw a conversation about wget and I'm wondering if wget is save to use.I know about DNS leaking but could there be another privacy concern?Can wget put the real IP in a header for example? I guess it can't butdoes someone know for sure?Thanks a lot!#######################################################################Post #2Runa A. Sandvik runa.sandvik at gmail.comWed Apr 18 05:01:51 UTC 2012According to a table on https://code.google.com/p/torsocks/, wget isnot 100% safe to use with Tor and it does leak DNS.#######################################################################Post #3Maxim Kammerer mk at dee.suWed Apr 18 05:52:07 UTC 2012On Wed, Apr 18, 2012 at 08:01, Runa A. Sandvik <runa.sandvik at gmail.com> wrote:> According to a table on https://code.google.com/p/torsocks/, wget is> not 100% safe to use with Tor and it does leak DNS.No, what that table shows is that there are possible issues withtorifying wget with torsocks (as opposed to, e.g., pointinghttp(s)_proxy to Privoxy; this probably just means that wget sends itsversion in User-Agent header), and that wget does not leak DNSrequests when used with torsocks (a rather useless information, sinceit says nothing about what happens without transparent torification).My tests show that wget does not leak DNS requests when HTTP(S)proxies are specified via environment variables.TL;DR: wget is 100% safe to use with Tor and it does not leak DNS(also true for curl, by the way).-- Maxim KammererLibert Linux (discussion / support: http://dee.su/liberte-contribute)#######################################################################Post #4coderman coderman at gmail.comWed Apr 18 07:07:11 UTC 2012On Tue, Apr 17, 2012 at 10:52 PM, Maxim Kammerer <mk at dee.su> wrote:> ...> My tests show that wget does not leak DNS requests when HTTP(S)> proxies are specified via environment variables.if:1. using environment variables correctly2. using command line parameters correctlyset http_proxy but not HTTPS_PROXY or ALL_PROXY with recursive? maybe oops.all generalizations are false ;)in other words, user beware.#######################################################################Post #5Robert Ransom rransom.8774 at gmail.comWed Apr 18 08:37:43 UTC 2012On 2012-04-18, Maxim Kammerer <mk at dee.su> wrote:> TL;DR: wget is 100% safe to use with Tor and it does not leak DNS> (also true for curl, by the way).Which version of wget did you audit? What information leaks did youcheck for during your audit?Which SSL library did you configure wget to use? Which version ofthat SSL library did you audit?Based on your knowledge of the protocols that wget supports, where didyou most expect to find information leaks in wget's source? (Sinceyou claim that wget is 100% safe to use with Tor, clearly you didn'tfind any information leaks.)Which configuration of wget makes it use Tor 100% safely?Robert Ransom#######################################################################Post #6Maxim Kammerer mk at dee.suWed Apr 18 08:56:31 UTC 2012On Wed, Apr 18, 2012 at 11:37, Robert Ransom <rransom.8774 at gmail.com> wrote:> Which version of wget did you audit? What information leaks did you> check for during your audit?I should have known I would get useless replies with zero informativecontent to that summary. Wget does not resolve hostnames when it usesa proxy. Many programs do (e.g., Midori does, and Pidgin did at onepoint, if I am not mistaken), but wget doesn't. Wget is therefore safeto use via Tor. Do you have any specific information saying otherwise,besides the obvious no one should ever claim that anything is 100%anything, ever? Note that I originally replied to a post by RunaSandvik which was entirely wrong and needed correction, and that youare quoting a summary. What is your contribution to this threadexactly?-- Maxim KammererLibert Linux (discussion / support: http://dee.su/liberte-contribute)#######################################################################Post #7unknown unknown at pgpru.comWed Apr 18 16:29:29 UTC 2012In theory smart adversary can reduce anonimity set with statisticaly profiling any non-TBB downloaders on the service side or through intercepting exit node traffic. Wget'll get a different responce than standart TBB or another downloaders to cookies and active elements injection, fonts manipulation on a page, etc. #######################################################################Post #8Joseph Lorenzo Hall joehall at gmail.comWed Apr 18 17:00:21 UTC 2012On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <mk at dee.su> wrote:> On Wed, Apr 18, 2012 at 11:37, Robert Ransom <rransom.8774 at gmail.com> wrote:>> Which version of wget did you audit? What information leaks did you>> check for during your audit?>> I should have known I would get useless replies with zero informative> content to that summary. Wget does not resolve hostnames when it uses> a proxy. Many programs do (e.g., Midori does, and Pidgin did at one> point, if I am not mistaken), but wget doesn't. Wget is therefore safe> to use via Tor. Do you have any specific information saying otherwise,> besides the obvious no one should ever claim that anything is 100%> anything, ever? Note that I originally replied to a post by Runa> Sandvik which was entirely wrong and needed correction, and that you> are quoting a summary. What is your contribution to this thread> exactly?I'm sorry, but I think you have it backwards in terms of uselessnessof replies on this thread. Ransom asked you a series of cordial,pointed questions wondering under what configuration you determinedwget does not leak. The underlying point is that it would be neat ifyou've done a comprehensive analysis of a specific version of Tor,etc., etc.That would be useful to know. best, Joe#######################################################################Post #9torsiris at tormail.net torsiris at tormail.netWed Apr 18 21:40:24 UTC 2012> On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <mk at dee.su> wrote:>> On Wed, Apr 18, 2012 at 11:37, Robert Ransom <rransom.8774 at gmail.com>>> wrote:>>> Which version of wget did you audit? What information leaks did you>>> check for during your audit?Hi,How can I check what information wget is transmitting? I used wiresharkand filtered to see only the traffic sent from wget to localhost:8118 butI'm not a network expert and I don't know how to interpret the data.Anybody has deeper network knowledge?#######################################################################Post #10Ondrej Mikle ondrej.mikle at gmail.comWed Apr 18 23:55:10 UTC 2012On 04/18/2012 11:40 PM, torsiris at tormail.net wrote:>> On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <mk at dee.su> wrote:>>> On Wed, Apr 18, 2012 at 11:37, Robert Ransom <rransom.8774 at gmail.com>>>> wrote:>>>> Which version of wget did you audit? What information leaks did you>>>> check for during your audit?> Hi,> > How can I check what information wget is transmitting? I used wireshark> and filtered to see only the traffic sent from wget to localhost:8118 but> I'm not a network expert and I don't know how to interpret the data.> > Anybody has deeper network knowledge?I've just checked wget, it does leak DNS even with http_proxy environmentvariable set.How to check:1. Run wireshark2. Select "Pseudointerface (any)" unless you know which interface to look at3. Put "dns" into the Filter field and click "Apply" buttonDNS is easy to spot since it's almost always going to UDP port 53 (exceptionsare really rare).Then you'll see what DNS queries your host did at the time (obviously it's bestto turn off any other program that could interfere in the measurement).These things can change on version-to-version basis of the same software, soit's always best to check your actual version with wireshark.Though curl is much better than wget in all recent versions at least, this doesnot leak DNS (--socks5-hostname is the important part; Tor SOCKS5 proxy isexpected to run at port 9050):curl --socks5-hostname localhost:9050 "http(s)://somesite.wherever/rest_of_url"Ondrej#######################################################################Post #11Maxim Kammerer mk at dee.suThu Apr 19 08:02:37 UTC 2012On Thu, Apr 19, 2012 at 02:55, Ondrej Mikle <ondrej.mikle at gmail.com> wrote:> I've just checked wget, it does leak DNS even with http_proxy environment> variable set.Do you see wget actually connecting to the proxy? Wget terminal outputshows that.-- Maxim KammererLibert Linux (discussion / support: http://dee.su/liberte-contribute)#######################################################################Post #12torsiris at tormail.net torsiris at tormail.netThu Apr 19 20:54:14 UTC 2012[RE: Others in the thread]Hi,I cannot confirm that wget (v1.12) is sending any DNS resolve when usingit this way:wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -chttp://download.testWireshark does not show any UDP traffic.I will check out curl. I like the idea of not using a http proxy in between.Thanks for the post. :-)#######################################################################Post #13Ondrej Mikle ondrej.mikle at gmail.comThu Apr 19 22:23:40 UTC 2012On 04/19/2012 10:54 PM, torsiris at tormail.net wrote:> Hi,> > I cannot confirm that wget (v1.12) is sending any DNS resolve when using> it this way:> > wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -c> http://download.test> > Wireshark does not show any UDP traffic.> > I will check out curl. I like the idea of not using a http proxy in between.> > Thanks for the post. :-)Hm, you're right, wget 1.12 does not leak DNS if you use http protocol. I justrealized I tested it also with https when the leak happened (wget requiresexplicit 'https_proxy' to use CONNECT for https even if you use the same httpproxy).Ondrej#######################################################################Post #14torsiris at tormail.org torsiris at tormail.orgSat Apr 21 23:25:36 UTC 2012Hi,Is there anything to worry about if using curl with the below configuration?(I don't want to use a virtual machine)Only debian-tor can go online:iptables -F OUTPUTiptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-toriptables -A OUTPUT -j ACCEPT -o loiptables -A OUTPUT -j ACCEPT -p udp --dport 123iptables -P OUTPUT DROPcurl is used like this:curl --socks5-hostname 127.0.0.1:9050 -A "TBB's user agent" -C - -Ohttp://download.testfileI guess there is no way that curl can leak the real IP address. Anyobjections?#######################################################################Post #15Ondrej Mikle ondrej.mikle at gmail.comSun Apr 22 17:26:09 UTC 2012On 04/22/2012 01:25 AM, torsiris at tormail.org wrote:> > Hi,> > Is there anything to worry about if using curl with the below configuration?> (I don't want to use a virtual machine)> > Only debian-tor can go online:> iptables -F OUTPUT> iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor> iptables -A OUTPUT -j ACCEPT -o lo> iptables -A OUTPUT -j ACCEPT -p udp --dport 123> iptables -P OUTPUT DROPJust to make sure, add explicit blocking of DNS at the beginning (might add -mowner --uid-owner debian-tor if you want):iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -j REJECTiptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -j REJECTREJECT is IMHO better than DROP for outgoing connections, since you won't haveto wait for application to detect timeout.> > curl is used like this:> > curl --socks5-hostname 127.0.0.1:9050 -A "TBB's user agent" -C - -O> http://download.testfileUse --header to add any additional headers until your request has identicalheaders to TBB (adding headers is easy, removing might be harder).> I guess there is no way that curl can leak the real IP address. Any> objections?I can't say for sure, but it likely won't leak your IP for http/https protocols.Only way to make sure would be thoroughly reading the source.Ondrej#######################################################################Post #16Javier Bassi javierbassi at gmail.comSun Apr 22 21:26:40 UTC 2012Just tested wget 1.12 with proxychains 3.1 and it does not leak DNS .^^#######################################################################Post #17torsiris at tormail.org torsiris at tormail.orgMon Apr 23 12:25:43 UTC 2012> On 04/22/2012 01:25 AM, torsiris at tormail.org wrote:>>>> Hi,>>>> Is there anything to worry about if using curl with the below>> configuration?>> (I don't want to use a virtual machine)>>>> Only debian-tor can go online:>> iptables -F OUTPUT>> iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor>> iptables -A OUTPUT -j ACCEPT -o lo>> iptables -A OUTPUT -j ACCEPT -p udp --dport 123>> iptables -P OUTPUT DROP>> Just to make sure, add explicit blocking of DNS at the beginning (might> add -m> owner --uid-owner debian-tor if you want):>> iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -j REJECT> iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -j REJECTiptables -P OUTPUT DROP will drop anything not allowed in the above rules.I don't see the need to add more rules for DNS. They get dropped anyway.>> REJECT is IMHO better than DROP for outgoing connections, since you won't> have> to wait for application to detect timeout.That's a good point for outgoing traffic. :-)>>>>> curl is used like this:>>>> curl --socks5-hostname 127.0.0.1:9050 -A "TBB's user agent" -C - -O>> http://download.testfile>> Use --header to add any additional headers until your request has> identical> headers to TBB (adding headers is easy, removing might be harder).>>> I guess there is no way that curl can leak the real IP address. Any>> objections?>> I can't say for sure, but it likely won't leak your IP for http/https> protocols.> Only way to make sure would be thoroughly reading the source.I see no way how curl could get the public IP address without rootprivileges.Thank you Ondrej for your point of view.#######################################################################Post #18Robert Ransom rransom.8774 at gmail.comFri Apr 20 14:15:54 UTC 2012On 2012-04-18, Joseph Lorenzo Hall <joehall at gmail.com> wrote:> The underlying point is that it would be neat if> you've done a comprehensive analysis of a specific version of Tor,> etc., etc.No, the underlying point is that I have personally seen wget send mycomputer's IP address over Tor in an FTP PORT command. wget is not100% safe.The code to send a PORT command is still present in wget 1.13.4. wget1.13.4 is not 100% safe; anyone who wants to recommend it needs tospecify a particular configuration of wget which is safe. (Don'tcount on a default configuration; Linux distributors might havemessed with it, or failed to update it to the version shipped inrecent wget source distributions.)And that's not even the potential information leak that folks who arefamiliar with anonymous FTP would check for first.Robert Ransom#######################################################################Post #19Maxim Kammerer mk at dee.suFri Apr 20 15:34:07 UTC 2012On Fri, Apr 20, 2012 at 17:15, Robert Ransom <rransom.8774 at gmail.com> wrote:> No, the underlying point is that I have personally seen wget send my> computer's IP address over Tor in an FTP PORT command. wget is not> 100% safe.Well, I was talking about http(s) specifically. While wget doessupport ftp_proxy environment variable, I am not aware of anystandard configuration involving Tor (e.g., Privoxy / polipo) thatsupports ftp_proxy (I guess wget would send proxy's IP in that case,but didn't check). When used with tsocks / torsocks' LD_PRELOAD hack,wget sends 127.0.0.1 with PORT, which only happens with--no-passive-ftp, and is kind of pointless.Perhaps you have seen the behavior you talk about in Tails, backbefore I convinced them that transparent proxying with iptables is abad idea? In that case, the problem is with transparent proxying, notwget.-- Maxim KammererLibert Linux (discussion / support: http://dee.su/liberte-contribute)#######################################################################