bemasc
commented
10 years ago See also #316, #281, and #250. We have also discussed a number of other mechanisms by which a website might be able determine a Chromium user's IP address, and which would be significantly harder to fix :-(.
Tor has now forked Firefox (and dropped support for upstream Firefox), in part for related reasons.
While we will do what we can to reduce these leaks, we do not expect to be able to provide strong IP address concealment in the near future. Instead, we will have to work hard to help users understand how to use uProxy safely.
cure53
There are various data leaks in browsers that let websites determine the true IP address of visitors. As mentioned in the threat analysis doc, this can be used by a malicious or hacked website to determine that a user is using a proxy and who the user really is. As hiding the user’s identity is the primary goal of the Tor project, they also have a relevant wiki page about leaks in Chrome and a design document for Tor Browser that mentions some issues they fixed. Leaks mentioned in those documents that seem to be unfixed are:
media.peerconnection.enabledto false – however, that would probably break uProxy as well, so a more fine-grained API might be necessary.flash.net.Socketto establish TCP connections that bypass the browser stack, including the proxy settings. A malicious flash object can use that to directly connect to a service that replies with the user’s IP. This is e.g. used by Amazon in a Fraud Protection system: They use this to de-anonymize everyone who logs in to Amazon.network.proxy.socks_remote_dnsandnetwork.dns.disablePrefetchoptions insrc/firefox/lib/firefox_proxy_config.js. There seems to be no such API in Chrome at the moment though. Certificate validation in Chrome will bypass the proxy.There is an open Chromium issue about the issue in Flash where a Chromium developer commented that “Whatever we do at the browser-level is best-effort” and “Users that are serious about protecting their information from going onto the network would be best served by doing it at the OS networking level”. However, given that this is not feasible in the context of uProxy and that uProxy is a Google project, we hope that the Chromium authors change their opinion on this. The situation in Firefox seems to be a lot better; the Tor Browser design document states that “a code audit was undertaken to verify that there were no system calls or XPCOM activity in the source tree that did not use the browser proxy settings”.
We recommend that uProxy asks the Firefox and Chromium Projects for APIs that allow extensions to disable these browser features temporarily, e.g. by blocking direct network access for plugins like Flash (or completely disabling plugins if restricting them is impossible) and disabling WebRTC for websites. We do recognize that this would allow a website to detect that some kind of enhanced-privacy mode is active, but believe that it would still be a significant improvement over the existing leaks. A programmatic way to suppress execution of plugins might be similar to for instance HTTP Sandbox-Headers.