uProxy-p2p icon indicating copy to clipboard operation
uProxy-p2p copied to clipboard
verified publisher icon UWNetworksLab

UP-01-006 Browser Leaks allow Websites to determine the true IP

Open cure53 opened this issue 11 years ago • 3 comments

There are various data leaks in browsers that let websites determine the true IP address of visitors. As mentioned in the threat analysis doc, this can be used by a malicious or hacked website to determine that a user is using a proxy and who the user really is. As hiding the user’s identity is the primary goal of the Tor project, they also have a relevant wiki page about leaks in Chrome and a design document for Tor Browser that mentions some issues they fixed. Leaks mentioned in those documents that seem to be unfixed are:

  • WebRTC by design leaks all IP addresses of the user to websites, including the public IP, which can be used to identify the network connection that was used to connect to the Internet, and IPv6 addresses that might contain the adapter’s MAC address. MAC addresses of Wifi interfaces could in turn be used to easily track down the specific computer that was used or to recognize it again later. In Firefox, WebRTC can be disabled completely by setting media.peerconnection.enabled to false – however, that would probably break uProxy as well, so a more fine-grained API might be necessary.
  • Adobe Flash, which is shipped with Google Chrome, allows websites to use flash.net.Socket to establish TCP connections that bypass the browser stack, including the proxy settings. A malicious flash object can use that to directly connect to a service that replies with the user’s IP. This is e.g. used by Amazon in a Fraud Protection system: They use this to de-anonymize everyone who logs in to Amazon.
  • DNS prefetching seems to be an issue in Chrome and Firefox. According to the Torbrowser Design Doc, the uProxy extension for Firefox should be able to prevent this by setting the network.proxy.socks_remote_dns and network.dns.disablePrefetch options in src/firefox/lib/firefox_proxy_config.js. There seems to be no such API in Chrome at the moment though. Certificate validation in Chrome will bypass the proxy.

There is an open Chromium issue about the issue in Flash where a Chromium developer commented that “Whatever we do at the browser-level is best-effort” and “Users that are serious about protecting their information from going onto the network would be best served by doing it at the OS networking level”. However, given that this is not feasible in the context of uProxy and that uProxy is a Google project, we hope that the Chromium authors change their opinion on this. The situation in Firefox seems to be a lot better; the Tor Browser design document states that “a code audit was undertaken to verify that there were no system calls or XPCOM activity in the source tree that did not use the browser proxy settings”.

We recommend that uProxy asks the Firefox and Chromium Projects for APIs that allow extensions to disable these browser features temporarily, e.g. by blocking direct network access for plugins like Flash (or completely disabling plugins if restricting them is impossible) and disabling WebRTC for websites. We do recognize that this would allow a website to detect that some kind of enhanced-privacy mode is active, but believe that it would still be a significant improvement over the existing leaks. A programmatic way to suppress execution of plugins might be similar to for instance HTTP Sandbox-Headers.

cure53 avatar Sep 19 '14 17:09 cure53

See also #316, #281, and #250. We have also discussed a number of other mechanisms by which a website might be able determine a Chromium user's IP address, and which would be significantly harder to fix :-(.

Tor has now forked Firefox (and dropped support for upstream Firefox), in part for related reasons.

While we will do what we can to reduce these leaks, we do not expect to be able to provide strong IP address concealment in the near future. Instead, we will have to work hard to help users understand how to use uProxy safely.

bemasc avatar Sep 19 '14 17:09 bemasc

@bemasc "Instead, we will have to work hard to help users understand how to use uProxy safely."

I see. But - what do you mean by that? Is there any documentation on that educational goal for users?

cure53 avatar Sep 19 '14 17:09 cure53

I don't think we have detailed plans yet for how to communicate uProxy's precise behavior, but roughly speaking the goal is to emphasize that uProxy is a tool to help you connect to websites, not a tool to hide your identity from the websites you visit.

In the long term we might also be interested in writing a system-level VPN (especially for Android and iOS, #370), which would allow us to offer more privacy-related features.

bemasc avatar Sep 19 '14 18:09 bemasc