[OPSEC/Computer] Android orbot/torweb & SOCKS vulnerability

From reading more on how SOCKS works (https://www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks)

" I keep seeing these warnings about SOCKS and DNS information leaks. Should I worry?

The warning is:

Your application (using socks5 on port %d) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via Polipo or socat) instead.

If you are running Tor to get anonymity, and you are worried about an attacker who is even slightly clever, then yes, you should worry. Here's why.

The Problem. When your applications connect to servers on the Internet, they need to resolve hostnames that you can read (like www.torproject.org) into IP addresses that the Internet can use (like 209.237.230.66). To do this, your application sends a request to a DNS server, telling it the hostname it wants to resolve. The DNS server replies by telling your application the IP address.

Clearly, this is a bad idea if you plan to connect to the remote host anonymously: when your application sends the request to the DNS server, the DNS server (and anybody else who might be watching) can see what hostname you are asking for. Even if your application then uses Tor to connect to the IP anonymously, it will be pretty obvious that the user making the anonymous connection is probably the same person who made the DNS request.

Where SOCKS comes in. Your application uses the SOCKS protocol to connect to your local Tor client. There are 3 versions of SOCKS you are likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5 (which usually uses IP addresses in practice), and SOCKS 4a (which uses hostnames).

When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP address, Tor guesses that it 'probably' got the IP address non-anonymously from a DNS server. That's why it gives you a warning message: you probably aren't as anonymous as you think. "

Does anyone know what version of of SOCKS is used by orbot/orweb? It seems if it were to use SOCKS 4 or SOCKS 5 profiling could be done in a large public/crowded place with lots of cameras?

Just a caution because if it uses v4 or 5 you could be vulnerable if someone were watching network traffic. Maybe someone more familiar with the android app or more technical knowledge can comment.


Comments