Silk Road forums

Discussion => Security => Topic started by: LittleEddy on November 23, 2012, 10:55 pm

Title: websocket: severe security bug
Post by: LittleEddy on November 23, 2012, 10:55 pm
This has been reported earlier, but I think it's worth bringing up again. I followed the instructions and really forgot about it. While sr is down, nothing to do, I looked to see if the "fix" was still intact. It wasn't. It must have reset itself during the last tor update. I couldn't find original thread on the topic so if anybody knows where it's at, you might bump it. Anyway, here is the essence (which I saved locally just in case):

It has been discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.39-1 on Windows; 2.2.39-1 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:
1. Open TOR and Firefox will open automatically.
2. Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
3. Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
4. Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.
Title: Re: websocket: severe security bug
Post by: CoolGrey on November 23, 2012, 11:11 pm
This has been mentioned before but it's always good to bring it to people's attention.

dkn255hz262ypmii.onion/index.php?topic=46439.0
Title: Re: websocket: severe security bug
Post by: LittleEddy on November 23, 2012, 11:45 pm
the "experts" seem to think that this *is* a severe security issue. I don't know, I'm just a follower. However, if it is indeed serious, perhaps this should be posted as sticky until the bug is fixed. It was reported to be in the tor problem reports to be fixed, but hasn't happened as of yet. Meanwhile, it's necessary to remember to check after each update and remember the instructions which obviously is  not exactly easy to do.
Title: Re: websocket: severe security bug
Post by: woahmang on November 23, 2012, 11:58 pm
Wow, this sucks. Too many moving parts and new HTML5 features in modern browsers. It might be a good idea to use something with HTML4 support and not even JavaScript, shame NetSurf only supports HTTP proxies.
Title: Re: websocket: severe security bug
Post by: h3n on November 24, 2012, 04:36 am
shame NetSurf only supports HTTP proxies.

Just set up privoxy to use tor.
Title: Re: websocket: severe security bug
Post by: snufkin on November 24, 2012, 12:45 pm
I'd like to point out that if you're using a "NoScript" plugin you're not vulnerable unless you temporarily allow scripts.
Title: Re: websocket: severe security bug
Post by: goblin on November 24, 2012, 01:53 pm
Thanks for this useful piece of information, LittleEddy!

goblin