Silk Road forums
Discussion => Security => Topic started by: SeriousChemistry on September 28, 2012, 05:03 pm
-
It has been discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.39-1 on Windows; 2.2.39-1 on MacOS and Linux).
To fix this dns leak/security hole, follow these steps:
1. Open TOR and Firefox will open automatically.
2. Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
3. Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
4. Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.
-
Thank you for the information. This configuration option is also present in Tails, and I would assume in liberte as well. Mine's set correctly, but if you're running an older version you might want to check it.
-
I'm worried that the OP is LE and attempting ot get me to make my Tor browser insecure.
Can someone with a high post count and some technical knowhow please confirm what he is saying?
-
I'm worried that the OP is LE and attempting ot get me to make my Tor browser insecure.
Can someone with a high post count and some technical knowhow please confirm what he is saying?
He copy pasted that text from the Tor project blog. Here's the url: https://blog.torproject.org/category/tags/websockets
So I think it's legit!
(Greetings everybody. Not new to SR, but a new seller -- sort of. Bought and drop shipped for pot2peer before they got suspended.)
-
Thanks for the info! Any idea why has this not been updated by Tor in their BB?
-
Thanks for the info! Any idea why has this not been updated by Tor in their BB?
Good question farmer1. You could try emailing them and asking them. That seems like a pretty big thing to forget to do.
-
Thanks fixed now
-
Thanks Guru (and Mr Chemistry for bringing it to our attention).
If you have Tor configured to block all scripts, is/was your anonymity still at risk from this bug?
-
Thanks...
-
Cheers. :)
-
thx!
-
Cheers guys! Sorted now!
-
Thnx
-
Ohhh my good thats bug is fixed since months, please read right and not anxiety provoking for old bullshit that is fixed
https://trac.torproject.org/projects/tor/ticket/5741
Changed 4 months ago by mikeperry
status changed from assigned to closed
resolution set to fixed
-
cheers for the info guys
-
Ohhh my good thats bug is fixed since months, please read right and not anxiety provoking for old bullshit that is fixed
https://trac.torproject.org/projects/tor/ticket/5741
Changed 4 months ago by mikeperry
status changed from assigned to closed
resolution set to fixed
Well... I'm running the lastest TOR setup (at least, according to TOR) and it was NOT fixed in mine. I had to manually change it.
-
Well Mister, then please report it on the right place and help all of us ;)
https://www.torproject.org/docs/faq.html.en#SupportMail
-
Ohhh my good thats bug is fixed since months, please read right and not anxiety provoking for old bullshit that is fixed
https://trac.torproject.org/projects/tor/ticket/5741
Changed 4 months ago by mikeperry
status changed from assigned to closed
resolution set to fixed
Well... I'm running the lastest TOR setup (at least, according to TOR) and it was NOT fixed in mine. I had to manually change it.
Same here.
-
here not....
Everyone writes blabbla but without "reliable sources" that is only blabla ;D
-
Ohhh my good thats bug is fixed since months, please read right and not anxiety provoking for old bullshit that is fixed
https://trac.torproject.org/projects/tor/ticket/5741
Changed 4 months ago by mikeperry
status changed from assigned to closed
resolution set to fixed
Well... I'm running the lastest TOR setup (at least, according to TOR) and it was NOT fixed in mine. I had to manually change it.
Same here. I triple-checked the newest TOR versions. It was still not fixed.
Btw. Thanks for the Karma, unknown karma supplier! ;)
-
Thanks.
+1
-
Thank you, john!
For all: Please tell everybody you reach on SR to fix this bug.
-
Thanks for the effort to let the community know this (fixed) bug :)
-
Changing the setting in about:config is the workaround, not the fix. With the proper fix, it is fine to have "network.websocket.enabled" set as true.
I assume the latest version of the tor browser has the proper fix, although I haven't tested it.
-
I assume the latest version of the tor browser has the proper fix, although I haven't tested it.
I have tested it and it's still not fixed. So you still have to fix it manually.
-
i block outgoing dns and http with my firewall. that fixes (or breaks, depending how you look at it) all applications.
-
Thank you, my BB was set incorrectly. Luckily I didn't use it for anything as I just downloaded it. Once again, thanks 8).
-
does it have to be done each time Firefox is started or does it remember from session to session?? I guess it would be a good idea to print the OP's info, so when a future tor is released, we can check it.
You have to change it once and/or when you update your TOR or download it again.
BTW OP, how on earth did you find this?? This issue seems pretty deep in the bowels of the techie stuff. Just wondering....
Magic. ;) No, I am very serious when it comes to security. I read a lot about TOR, PGP etc. You might consider doing that too!
Thank you, my BB was set incorrectly. Luckily I didn't use it for anything as I just downloaded it. Once again, thanks 8).
You're welcome!
-
How does one do this fix in Liberte?
-
Liberte? What are you talking about?
-
Liberte? What are you talking about?
Liberte Linux.
It's a TOR-based OS that can be run from a USB drive. It uses the GNOME web browser. Any idea on how to do this fix on this platform?
-
Uhm SeriousChemistry please tell us how to reproduce the bug.
Everyone, turn your settings back to default,this guy most likely has no idea what he's talking about.
If you care about security, install NoScript and forbid everything, that fixes a lot of vulnerabilities, including this one (which doesn't matter because it was fixed half a year ago as people have already said multiple times in this thread).
-
Well I am not a computer genius, but I've read about this bug in some Security-Forums and I checked it and the settings were still set to the wrong parameter. So you tell me the bug is fixxed, even if the settings are still the same as in the unfixed, older versions of TOR?I really want to make that clear, I don't want to spread bullshit.
-
As someone already pointed out on page 1 of this thread it doesn't matter what your settings are because the bug is already fixed. So better change it back to the default.
If you read about some bug, check the date of the article. Tor fixes critical bugs very fast because lifes depend on it.
-
Well I am not a computer genius, but I've read about this bug in some Security-Forums and I checked it and the settings were still set to the wrong parameter. So you tell me the bug is fixxed, even if the settings are still the same as in the unfixed, older versions of TOR?I really want to make that clear, I don't want to spread bullshit.
With the bug fixed, that particular parameter can be set either way and it isn't a security risk.
-
This shouldn't affect you if you just use Tor to connect to hidden services.
DNS leaks are a perpetual bugbear with torifying applications. Sooner or later the Tor Project will have to do something more drastic about it.
-
I'm bumping this thread as a reminder. A new Tor browser was just released and the bug remains. Make the fix and you're good to go until the next release. This has been discussed elsewhere and as far as I understand it still is something of legitimate concern.
-
this needs to be a sticky...i keep forgetting to do this every time a new version of TOR is released...
-
If you have updated Tor Browser anytime since May 2012. it is already fixed...
Check the update logs (really easy to find, tor browser folder\docs\changelog):
Tor Browser Bundle (2.2.35-11); suite=windows
* Security release to stop TorBrowser from bypassing SOCKS proxy DNS
configuration
* New Firefox patches:
- Prevent WebSocket DNS leak (closes: #5741)
- Fix a race condition that could be used to link browsing sessions
together when using new identity from Tor Browser (closes: #5715)
* Remove extraneous BetterPrivacy settings from prefs.js (closes: #5722)
-- Erinn Clark <erinn@torproject.org> Thu May 3 08:00:00 BRT 2012
If you notice the closed bug trac is the same number as posted in the second/third post.
-
Correct, this bug is resolved and the workaround is no longer needed.
-
the bug seems to be still active in Mac versions of TOR
-
the bug seems to be still active in Mac versions of TOR
With the bug fixed, it is acceptable for network.websocket.enabled to be set as true.