Open Mikaela opened 6 years ago
Mikaela
commented
6 years ago Onion: Can requests to 127.0.0.1 be used to fingerprint the browser? / clearnet issue at Tor issue tracker, it seems that this was reported five years ago as a bug and connections to 127.0.0.1 were blocked by default 4 years ago.
I encountered this issue by accident while searching for different information.
anoadragon453
commented
6 years ago Thanks for reporting. Is it possible to only allow clearnet connections to localhost on port 43110?
If not doable in Firefox, perhaps it is possible to create an exception in Tor's torrc config file.
Mikaela
commented
6 years ago Is it possible to only allow clearnet connections to localhost on port 43110?
If it is, I am not seeing the way to do that as setting "no proxy for" to 127.0.0.1:43110 and 127.0.0.1#43110 both let me access all the ports.
My first thought before I opened this issue was making ZeroNet listen on 127.0.0.2, but I was still able to access everything on 127.0.0.1, I don't know if Firefox has special treatment for 127.* addresses.
How to use ZeroNet in Tor browser? advices telling TB to not send traffic to 127.0.1 through Tor. While this is required for ZeroNet to work, this might also allow malicious sites to fetch content from other ports and allow fingerprinting users.
I am thinking of http://127.0.0.1:631 which is CUPS/printing web interface (often used in Linux, macOS), http://127.0.0.1:8080/ can be anything (IPFS uses it by default, I have Syncthing there, I think µTorrent also uses it for remote UI), transmission-daemon uses 9091 if I recall correctly.