Firefox IPv6 Anonymity bypass
Jacob Appelbaum
jacob at appelbaum.net
Fri Oct 26 18:57:37 UTC 2007
Arrakis wrote:
> Greetings and welcome to 2006!
>
> <3,
> Steve
>
> Excerpt from "How To Create Torpark"
>
> Step 31. set as follows:
> noscript.notify.hideDelay = 30
> noscript.statusIcon = false
> network.dns.disableIPv6 = true ; ipv6 addresses fail through tor.
> network.proxy.socks_remote_dns = true
> browser.sessionstore.enabled = false
> browser.sessionhistory.max_entries = 1
> network.cookie.lifetime.days = 0
> dom.storage.enabled = false
> dom.max_script_run_time = 60 ;script running time
> dom.max_chrome_script_run_time = 60;
> network.proxy.failover_timeout = 0 ;always retry the proxy, never
> revert.
> plugin.scan.plid.all = false ;Do not allow plugin scanning.
> security.xpconnect.plugin.unrestricted = false; do not allow
> unlimited access to XPConnect
> layout.css.report_errors = false ;get rid of java console errors
> network.http.keep-alive.timeout:1000
> network.http.max-persistent-connections-per-proxy:16
> network.http.pipelining:true
> network.http.pipelining.maxrequests:8
> network.http.proxy.pipelining:true
I'm sure you've learned a great deal in the process of building Torpark.
Have you ever documented why you've made these choices and explained
them to the or-talk lost or Tor Developers privately?
I think your contributions would be very valued if you only shared them
in a constructive manner. Your message comes across as smug and counter
productive. What are you trying to accomplish?
With that said, I think your setup is still vulnerable to ipv6 leaks. I
think that an attacker would merely have to list an ipv6 address rather
than a name. Something along the lines of:
<img src="http://fe80::123:5667:fe6d:ab10/cookie.img">
If you think this to be incorrect, perhaps you could share why? Does
Firefox properly proxy ipv6 requests through Tor? Have you tested this?
How did you test it?
-
Jaco
More information about the tor-talk
mailing list