lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Aug 2014 08:05:31 +1000
From: Adam Dodson <>
Subject: Re: [FD]
	“Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header


I forwarded these details to the Steganos dev team and they have just
addressed this issue with a software update yesterday :)


> On Sun, Aug 10, 2014 at 7:45 AM, Stefan Paletta <>
> wrote:
>> Hi!
>> “Steganos Online Shield VPN” claims to enhance the user’s privacy online
>> (<>)
>> by, among other measures, (a) blocking advertisements in web pages, (b)
>> blocking tracking code in web pages,  and (c) replacing the browser’s
>> “User-Agent” header with a fixed value. The measures can be enabled
>> independent of each other and independent of other functionality of the
>> software (e.g. use of a VPN connection).
>> Use of any feature (a) through (c) will enable a local HTTP proxy server
>> based on Node.js (<>) and <
>> When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the
>> hostname of the machine in a “Via” header like so: “Via: 1.1 foobar:8123
>> (Steganos Online Shield)” (where “foobar” is the local hostname).
>> The code is this <
>> (think %windir%\System32\HOSTNAME.EXE) and this <
>> >.
>> When (c) is enabled, custom code in the proxy will replace the
>> “User-Agent” header with a fixed value and replace the “Via” header with
>> the empty string (not remove it altogether), thereby mitigating the
>> information leak.
>> The machine’s hostname is usually strongly connected to the user’s
>> identity (often containing their name). In addition to that, it is a strong
>> distinguisher that will allow a correlation of HTTP requests as originating
>> from the same machine (and thereby user, to some degree) even when these
>> requests are not otherwise related in any way.
>> When reproducing, be careful that online services echoing back your HTTP
>> request may or may not echo a “Via” header when one is in fact present.
>> –Stefan
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> Web Archives & RSS:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists