[tor-talk] wget - secure?

Ondrej Mikle ondrej.mikle at gmail.com
Thu Apr 19 22:23:40 UTC 2012


Hm, you're right, wget 1.12 does not leak DNS if you use http protocol. I just
realized I tested it also with https when the leak happened (wget requires
explicit 'https_proxy' to use CONNECT for https even if you use the same http
proxy).

Ondrej

On 04/19/2012 10:54 PM, torsiris at tormail.net wrote:
> Hi,
> 
> I cannot confirm that wget (v1.12) is sending any DNS resolve when using
> it this way:
> 
> wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -c
> http://download.test
> 
> Wireshark does not show any UDP traffic.
> 
> I will check out curl. I like the idea of not using a http proxy in between.
> 
> Thanks for the post. :-)
> 
>> On 04/18/2012 11:40 PM, torsiris at tormail.net wrote:
>>>> On Wed, Apr 18, 2012 at 4:56 AM, Maxim Kammerer <mk at dee.su> wrote:
>>>>> On Wed, Apr 18, 2012 at 11:37, Robert Ransom <rransom.8774 at gmail.com>
>>>>> wrote:
>>>>>> Which version of wget did you audit?  What information leaks did you
>>>>>> check for during your audit?
>>> Hi,
>>>
>>> How can I check what information wget is transmitting? I used wireshark
>>> and filtered to see only the traffic sent from wget to localhost:8118
>>> but
>>> I'm not a network expert and I don't know how to interpret the data.
>>>
>>> Anybody has deeper network knowledge?
>>
>> I've just checked wget, it does leak DNS even with http_proxy environment
>> variable set.
>>
>> How to check:
>>
>> 1. Run wireshark
>> 2. Select "Pseudointerface (any)" unless you know which interface to look
>> at
>> 3. Put "dns" into the Filter field and click "Apply" button
>>
>> DNS is easy to spot since it's almost always going to UDP port 53
>> (exceptions
>> are really rare).
>>
>> Then you'll see what DNS queries your host did at the time (obviously it's
>> best
>> to turn off any other program that could interfere in the measurement).
>>
>> These things can change on version-to-version basis of the same software,
>> so
>> it's always best to check your actual version with wireshark.
>>
>> Though curl is much better than wget in all recent versions at least, this
>> does
>> not leak DNS (--socks5-hostname is the important part; Tor SOCKS5 proxy is
>> expected to run at port 9050):
>>
>> curl --socks5-hostname localhost:9050
>> "http(s)://somesite.wherever/rest_of_url"
>>
>> Ondrej
>> _______________________________________________
>> tor-talk mailing list
>> tor-talk at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
> 
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 



More information about the tor-talk mailing list