Yahoo Mail and Tor
Andrew Lewman
andrew at torproject.org
Wed Jul 15 04:50:23 UTC 2009
On 07/09/2009 01:36 PM, Lee wrote:
>>> enable-remote-toggle 0
>>> enable-remote-http-toggle 0
>>> enable-edit-actions 0
>>> allow-cgi-request-crunching 0
>> I'm trying to find the email thread, but until then, even with these
>> set, it was demonstrated someone can manipulate your privoxy config by
>> making your tor client pass strings from localhost.
The best thread I can find on this topic is
http://archives.seul.org/or/talk/Nov-2007/msg00323.html
My memory of the details recalls that even with everything set to 0,
there was something that could enable the admin interface by referrer
spoofing, and then you've lost.
However, I can't find the details so, perhaps it's time to check out the
current versions of privoxy and re-evaluate. I'd love to stop shipping
a powerpc-only privoxy with the osx bundles, at a minimum.
--
Andrew Lewman
The Tor Project
pgp 0x31B0974B
Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identica/Twitter: torproject
More information about the tor-talk
mailing list