lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <26700.1260878482@localhost>
Date: Tue, 15 Dec 2009 07:01:22 -0500
From: Valdis.Kletnieks@...edu
To: Milan Berger <m.berger@...ject-mindstorm.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google Chrome 3.0.195.33 leaks DNS data
	queries outsitde of proxy if dns pre-fetching is enabled

On Tue, 15 Dec 2009 10:14:31 +0100, Milan Berger said:

> > the only way to avoid DNS leaks despite most application configuration
> > is a transparent Tor proxy that intercepts all DNS and TCP at the
> > network layer and performs a redirect to the Tor Tcp and DNS Ports.
> > (see man page.)
> 
> Bullshit.
> Tor proxies are
> a) not the best way
> b) many apps like firefox enable using proxy for dns as well as other
> connections.

Not bullshit at all. Taking the points in reverse order:

(b) Note that 'many apps" means "mostly avoid", not "totally avoid".   You run
any app that's not DNS-proxy aware, you just leaked and whoever you're using
Tor to avoid is now potentially pounding on your door. Sure, the difference
doesn't matter if you're using Tor to be a cool wanker. But if you're using
Tor because it *matters*, "98% of apps get it right themselves" is a big
*fail*. You really want to enforce 100% correctness whether the app is
correct or not. (Stated in another way - sometimes DAC just doesn't cut
it, and you really *do* want the added complication of MAC).

(a) If you have a better way than a Tor proxy to avoid DNS leaks from
programs that don't DNS-proxy themselves, feel free to actually *tell*
us what it is, rather than just babble "they aren't the best way". Given
you got the *other* point totally wrong, we have no reason to believe a
content-free 'not the best way' unless you actually have an evaluatable
statement like 'XYZ is better'.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ