| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Aug 2014 08:05:31 +1000 From: Adam Dodson <adam@...mdodson.org> To: fulldisclosure@...lists.org Subject: Re: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header Hi, I forwarded these details to the Steganos dev team and they have just addressed this issue with a software update yesterday :) Regards, Adam > > On Sun, Aug 10, 2014 at 7:45 AM, Stefan Paletta <stefanp@...al1.net> > wrote: > >> Hi! >> >> “Steganos Online Shield VPN” claims to enhance the user’s privacy online >> (<https://www.steganos.com/en/products/vpn/online-shield-vpn/features/>) >> by, among other measures, (a) blocking advertisements in web pages, (b) >> blocking tracking code in web pages, and (c) replacing the browser’s >> “User-Agent” header with a fixed value. The measures can be enabled >> independent of each other and independent of other functionality of the >> software (e.g. use of a VPN connection). >> >> Use of any feature (a) through (c) will enable a local HTTP proxy server >> based on Node.js (<http://nodejs.org/>) and < >> https://github.com/axiak/filternet>. >> >> When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the >> hostname of the machine in a “Via” header like so: “Via: 1.1 foobar:8123 >> (Steganos Online Shield)” (where “foobar” is the local hostname). >> >> The code is this < >> https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L19> >> (think %windir%\System32\HOSTNAME.EXE) and this < >> https://github.com/axiak/filternet/blob/e9109999c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L116 >> >. >> >> When (c) is enabled, custom code in the proxy will replace the >> “User-Agent” header with a fixed value and replace the “Via” header with >> the empty string (not remove it altogether), thereby mitigating the >> information leak. >> >> The machine’s hostname is usually strongly connected to the user’s >> identity (often containing their name). In addition to that, it is a strong >> distinguisher that will allow a correlation of HTTP requests as originating >> from the same machine (and thereby user, to some degree) even when these >> requests are not otherwise related in any way. >> >> When reproducing, be careful that online services echoing back your HTTP >> request may or may not echo a “Via” header when one is in fact present. >> >> –Stefan >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists