/g/ - Technology

install openbsd

[Make a Post]
[X]





Links DNS Leak Nanonymous No.9030 [D][U][F][S][L][A][C] >>9134
File: bd776d037846a916704fb03d25c84b32ffdc8dda030ea54a11c712312e5088be.png (dl) (53.57 KiB)
https://marc.info/?l=openbsd-ports&m=156832957101047&w=2

Prior to version 2.20.1, the Links web browser leaked DNS when used with Tor. Stop using Links with Tor.

Nanonymous No.9033 [D] >>9043
time to laugh at that one openbsd fag who used it

Nanonymous No.9034 [D] >>9134
Why the actual fuck would you use Tor with any other browser than Tor Browser? You'd have to be a special kind of retard to use it with >Links

Nanonymous No.9042 [D][U][F] >>9061 >>9134 >>9395
File: 7f931413a6bb88cde60e6352d575e49cc1748c45c0146400890dde6af093c9a8.jpg (dl) (123.03 KiB)
Good thing I've said to have pf firewall transparent proxy, so this doesn't affect me or anyone using my recommended settings. Also, Tor is pointing specifically to localhost port 53. This means all DNS requests are enforced system wide.
><link rel="dns-prefetch" href="http://host.domain/">.
This will probably only work if you have async dns activated, which I said explicitly to disable.

Also, where exactly I've said Links is perfect? I didn't.
Do you need me to point how many firefox (which TBB is based on) bugs exist in one only month? Here, this year they had (up until now) a total of 105 vulnerabilities, including 4 code execution and 8 "bypass something":
http://web.archive.org/save/https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452

<ooh boys, we got him!11!!1
<we are so smart because we use a 12 million LoC browser
If you want to use TBB, go ahead and do what you want. I'm only arguing Links is better in many (if not all) areas where you don't need javascript/css.

Nanonymous No.9043 [D] >>9395
>>9033

Nope. I did not. Virus averted! Thank you anon.

Nanonymous No.9061 [D] >>9072
I warned them not to do it, they didn't listen. if at least those idiots tested their setup, they would see the dns leaks or other problems

>>9042
I rather choose Tor Browser vulnerabilities than having almost unique fingeprint. only few nanochan users use Tor+Links, so your browsing history is almost public
also there are ways to protect against Tor Browser exploits. use Safest setting, use virtual machine, use firewalls, firejail

the idea to recreate Tor Browser using different browser is interesting, but it requires a lot of work and testing, which they didn't

Nanonymous No.9064 [D]
Links with Tor = security
Tor Browser = privacy and anonymity

your choice

sage sage No.9072 [D]
>>9061
>so your browsing history is almost public
Here you really show how you don't understand shit about what you're talking about. Go read a fucking book on networking.
>use Safest setting
Yes, this for sure will stop attacks.
>use virtual machine
Yes, that's the solution for security problems.
>if at least those idiots tested their setup
I did test. My setup didn't leak anything, because of my configurations.
>I warned them not to do it, they didn't listen.
You warned shit about this. No one even knew this vulnerability until fixed last month. Also, this doesn't leak all DNS traffic, only when HTML calls "dns-prefetch".

Nanonymous No.9078 [D]
>DNS leak
If your DNS isn't anonymized, links bug or not, it's still your fault.

Nanonymous No.9134 [D] >>9395
>>9030
>>9042
you dumb fucks. making all network traffic go over the proxy is not a security goal of these types of software. a proxy is to get into your retarded work network. if it breaks in some edge case, someone files a bug and gets it fixed. also, this is EXACTLY the same for transparent proxies implemented via firewall crap like iptables.
also, firecuck, is exponentially worse than Links even with this bug. now kys
>>9034
because Tor browser, firefux, chrome, etc are fucking unusable you dumb shit

Nanonymous No.9395 [D] >>9413 >>9492
>>9134
>because Tor browser, firefox, chrome, etc are fucking unusable
Using anything other than Tor Browser is like wearing pink hot pants and a bag over your head. Yes you're anonymous, but very trackable and the moment you use the same browser without Tor then your real identity is linked to your Tor history.

>>9042
Pushing everything over Tor is not great since exit nodes will sniff all your plaintext traffic.

What Tails does is run Tor under a dedicated user account and then use firewall rules to block external network access for all other user accounts. Don't know if pf can do that but serious operating systems like Linux have firewalls which obviously can.

Another option is to run the browser in a network namespace and then have Tor outside but listening on a veth interface attached to the namespace. But a toy OS like OpenBSD doesn't have namespaces either.

>>9043
>time to laugh at that one openbsd fag who used it
Yep.

Nanonymous No.9404 [D] >>9413 >>9421 >>9432 >>9492
I would like a definitive answer from someone who knows something.
One anon says that Links with faked firefox http headers is enough to not be fingerprinted, others say that using anything but Tor Browser will get you fingerprinted.
Which is the truth?

Nanonymous No.9413 [D] >>9421 >>9422 >>9435 >>9443
>>9395
>Yes you're anonymous, but very trackable and the moment you use the same browser without Tor then your real identity is linked to your Tor history.
or if they login into any account linked to their real name, even with Tor

>Pushing everything over Tor is not great since exit nodes will sniff all your plaintext traffic.
not pusing everything over Tor is retarded. you shouldn't use plaintext for any confidential data, Tor or not. without Tor it will be your ISP and government who will sniff on your plaintext traffic

>Another option is to run the browser in a network namespace and then have Tor outside but listening on a veth interface attached to the namespace. But a toy OS like OpenBSD doesn't have namespaces either.
another option is to run virtual machine that only allows Tor and routes everything through Tor
https://whonix.org

>>9404
>One anon says that Links with faked firefox http headers is enough to not be fingerprinted, others say that using anything but Tor Browser will get you fingerprinted.
>Which is the truth?
the second is closer to truth. using similar http headers will only hide you from the most basic fingerprinting like reading your User-Agent. but there are many more techniques and they will detect that your browser is fake firefox. and I am assuming you meant with disabled javascript, because with javascript you have 0 chance of hiding.
also, how do you want to simulate firefox header order?
do you know current firefox and Tor Browser use http/2 protocol for HTTPS traffic? does your Links use it too? does your Links use same TLS library that firefox uses? SSL fingerprint is real

Nanonymous No.9421 [D] >>9422
>>9404
>Which is the truth?
both will be fingerprinted, that is unavoidable.

<<when using tor browser
your unique finger print will be harder to track back to you if it matches other users exactly the same. this is why many users push using tor browser with safest settings

<<using other browsers through tor
your fingerprint will be much less common, even if configured the same as other users. you will be easier to individualize.

>>9413
>not pusing everything over Tor is retarded. you shouldn't use plaintext for any confidential data, Tor or not. without Tor it will be your ISP and government who will sniff on your plaintext traffic
imposing that the major world governments do not own all tor exit notes

Nanonymous No.9422 [D] >>9426 >>9492
>>9421 >>9413
What fingerprint are we actually talking about other than user agent?
Setting your settings to safest is a finger print in and of itself!
Other than shrinking screen size, and making each tab use a different circuit, what does Tor Browser really offer that another browser can't?

>if you don't use tor you are dumb and everything will be leaked
Not all sites work over Tor for one, so that's completely impractical.
Second you should be using DNS over TLS & HTTPS Everywhere or something when browsing the clearnet.
This way at least you can't be seen over the wire, and only the site and DNS server has your IP/location.


Nanonymous No.9426 [D]
>>9422
>Setting your settings to safest is a finger print in and of itself!
a fingerprint used by many people. your Links fingerprint will be unique

>Other than shrinking screen size, and making each tab use a different circuit, what does Tor Browser really offer that another browser can't?
it's not what special it does, it's how different it is. Tor Browser uses different SSL, HTTP, CSS, JS engines that other browsers do (except firefox which is similar), those differences in engines will produce a lot of fingerprintable stuff
HTTP & SSL negotiation, header values, order of header, order of requests, timing/delays of requests, SSL fingerprint, CSS fingerprinting
good luck simulation all this shit in Links
Jews destroyed Web, it can only be destroyed and a new protocol be built

>Not all sites work over Tor for one, so that's completely impractical.
do not visit them, destroy and harass them, find alternatives
we need to be like faggots who destroy windows in shops that discriminate faggots

>Second you should be using DNS over TLS & HTTPS Everywhere or something when browsing the clearnet.
>This way at least you can't be seen over the wire, and only the site and DNS server has your IP/location.
<only
also no, the ISP and government will know what site do you access, at what time

Nanonymous No.9432 [D] >>9435
>>9404
I'm the anon who 'defends' Links browser. I won't answer in this thread anymore, because some monkey is trying to "catch a fight" with me and I'm tired of dicussing this. You can read this thread if you want to see my arguments:
https://nanochanqwrwtmamtnhkfwbbcducc4i62ciss4byo6f3an5qdkhjngid.onion/g/4669.html

Nanonymous No.9435 [D] >>9436 >>9487
>>9413
>another option is to run virtual machine that only allows Tor and routes everything through Tor
memebsd doesn't have virtual machines either.
Theo doesn't believe in them.

>>9432
So you've lost this argument more than once and still haven't learned your lesson? Jeez.

sage sage No.9436 [D] >>9443
>>9435
Dialectics is not about win or lose. It's about getting closer to the truth.
You need to learn some lessons, kiddo.

Nanonymous No.9443 [D]
>>9413
>not pusing everything over Tor is retarded. you shouldn't use plaintext for any confidential data, Tor or not. without Tor it will be your ISP and government who will sniff on your plaintext traffic
I don't want to tell you your threat model but if I had unknown network connections leaking from applications, I would prefer they bounce off the firewall and not get out at all rather than blindly funnel it all through Tor.

For personal data, my ISP and government already know who I am. I've got nothing to gain by putting that stuff thread Tor. The only thing it will do is trigger security alerts because I logged in from random Tor exit nodes.

>>9436
>Dialectics is not about win or lose. It's about getting closer to the truth.
You lose because you cannot defend your statement but still insist it's true.
Learning the truth is impossible with this attitude.

Nanonymous No.9487 [D] >>9535 >>9991
>>9435
vmm (4)

Nanonymous No.9492 [D][U][F]
File: c7b91e103feb2f498246686888664abe47ac2055f4d9ffb1c0c3a288a0580908.png (dl) (1.71 MiB)
>>9422
>what does Tor Browser really offer that another browser can't?
rtfm
>>9395
it likely doens't matter in practice. the main reason to use Tor is so the local admin or ISP can't see what you're doing, so the autistic webadmin can't block you, and so the sites you visit don't know who you are.
and they simply CANT, without doing a targeted attack, and having administrative access to multiple websites you visit
any targeted attack is going to win against any webshit implementation anyway so why bother. if someone wants to hack you, they'll spend 5 minutes finding a new 0day against your shitty web browser. even Links still has RCE vulns.
so actually, this discussion is all about quality of software and not security. Links is still much higher quality than any other web browser. if you actually want to have security (as in more assurance than, "lol the hackers are lazy they'll never get me cus i dont matter") why would you be using a pile of UNIX/C garbage
>but very trackable and the moment you use the same browser without Tor then your real identity is linked to your Tor history.
yes, then don't do that
>>9404
all web browsers can be fingerprinted, including Links. this has nothing to do with JS or CSS. the protocols are simply so vast that there is no canonical implementation (every implementation will be different). even just HTTP alone is too complex to be unfingerprintable without a ton of coordinated effort and cutting off 10,000 useless features
The opening of chapter 3 of The Tangled Web describes it well:
>The history of HTTP offers interesting insight into its authors' ambitions
>and the growing relevance of the Internet. Tim Berners-Lee's earliest 1991
>draft of the protocol (HTTP/0.91) was barely one and a half pages long, and
>it failed to account for even the most intuitive future needs, such as extensi-
>bility needed to transmit non-HTML data.
>Five years and several iterations of the specification later, the first
>official HTTP/1.0 standard (RFC 19452) tried to rectify many of these short-
>comings in about 50 densely packed pages of text. Fast-forward to 1999, and
>in HTTP/1.1 (RFC 26163), the seven credited authors attempted to antici-
>pate almost every possible use of the protocol, creating an opus over 150
>pages long. That's not all: As of this writing, the current work on HTTPbis,4
>essentially a replacement for the HTTP/1.1 specification, comes to 360 pages
>or so. While much of the gradually accumulated content is irrelevant to the
>modern Web, this progression makes it clear that the desire to tack on new
>features far outweighs the desire to prune failed ones.
>Today, all clients and servers support a not-entirely-accurate superset of
>HTTP/1.0, and most can speak a reasonably complete dialect of HTTP/1.1,
>with a couple of extensions bolted on. Despite the fact that there is no practi-
>cal need to do so, several web servers, and all common browsers, also main-
>tain backward compatibility with HTTP/0.9.
even Tor Browser is fingerprintable and always will be. the game is to find the most obvious points of fingerprinting and patch them, and this is what Tor Browser devs are doing every day. once again, a targeted attack will still succeed

Nanonymous No.9523 [D][U][F] >>9545 >>9623
File: d5876278847b3b27a95bb16f685bacbb53c93afdfdfda4b5a3b10c58fe3ead97.png (dl) (648.27 KiB)
I use tor with IE 7 but I spoof my user agent to say IE 11 just in case some nazi thinks you need current malware.

Tor browser was written by navy fags. It enables javascript when specific strings are seen. thats what you get when you trust semen to give you something trustworthy.

Nanonymous No.9535 [D] >>9625
>>9487
>vmm (4)
Can it run Tor browser?

Nanonymous No.9545 [D] >>9564
>>9523
If that's true, where in the source does it do that?

Nanonymous No.9564 [D] >>9580 >>9623
>>9545
>If that's true, where in the source does it do that?
it's not in source, it's in binary version that you get from torproject.org

Nanonymous No.9580 [D] >>9588 >>9606
>>9564
The binary version is bit-for-bit reproducible from the source code.
Your are a full of shit faggot. Get out of here, and die.

Nanonymous No.9588 [D]
>>9580
It's probably just a troll based on this old bug.
https://thehackernews.com/2018/09/tor-browser-zero-day-exploit.html

Nanonymous No.9606 [D]
>>9580
it's no longer reproducible since 9.0

Nanonymous No.9623 [D]
>>9523
>>9564
Want to give an example of these specific strings?

Nanonymous No.9625 [D] >>9705
>>9535
>Can it run Tor browser?
Yes.

Nanonymous No.9705 [D]
>>9625
How do you run Tor Browser without X?