lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Dec 2009 13:39:34 -0800
From: Dan Kaminsky <dan@...para.com>
To: nixlists <nixmlists@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google Chrome 3.0.195.33 leaks DNS data
	queries outsitde of proxy if dns pre-fetching is enabled

Nix,

   Proxies are not a security technology in the way you think they are.

   Way back in the day, NAT didn't exist.  In order for large numbers of
users to share small number of IP addresses, application layer gateways --
proxies -- needed to be written such that a backend client could "ask" for
connectivity through the one host on the network that had direct Internet
access.  Some of these proxies were protocol specific (HTTP, FTP, Gopher),
and some were more generic (SOCKS4/5).

   While there were toolkits that allowed transparent proxying to be loaded
into any network application -- so called "socksifiers" -- they were always
a little unstable and obtuse.  So any application that wanted to function in
a corporate environment eventually got proxy support built right into the
UI.

   This wasn't for security.  It was the 90's, nobody did *anything* for
security.  It was just for connectivity.

   There are some implications to this.  While the UI declares proxies MAY
be used, it doesn't actually mean they MUST be used.  More protocols than
HTTP are accessible via the web browser.  Do you think SMB uses the browser
configured proxies?  What about Flash and Java sockets?  And even if they
did use the proxies, SOCKS4 didn't even support remote DNS in its first
incarnation; that supported was added unofficially in SOCKS4a and officially
in SOCKS5.  To this day, Firefox can't turn remote DNS on by default,
because so many of the proxies have buggy implementations of it.

   The TOR guys are aware of all of this, of course.  The approach they've
been working on has been to virtualize the entire network stack of the
Windows instance behind a Linux VM.  That's the only real way to prevent
leaks.  Playing whack-a-mole at the application layer is ultimately
pointless.  If you want to prevent network traffic from leaking, you really
need full access to all traffic.

--Dan


On Tue, Dec 15, 2009 at 1:01 PM, nixlists <nixmlists@...il.com> wrote:

> The point is besides the fact that you can configure Chrome to proxy
> through Tor or anything else, Chrome is not supposed to leak DNS -
> it's  a bug that Firefox currently does not have for instance. Many
> users use proxies to avoid corporate and other firewalls, and to
> prevent leakage of information a suppressive government will throw
> them in jail for - China for instance. Tor just makes a good example.
> IT IS IMPORTANT FOR UNWITTING USERS TO KNOW ABOUT THIS BUG. They may
> be thinking that Chrome is safe for proxies.
>
> The other OT issue about Chrome is of course even despite you using a
> proxy the right way all the real information about you will be found
> on Google's servers anyway because Chrome has a lot of hidden
> information collecting eggs that Google won't talk about. The company
> has decided that privacy does not matter long time ago. And if it does
> matter for you - well according to Google then you are a criminal.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists