@ eric:
Great idea! Unfortunately, it turned out I already had that set to false, as my default, even. I cautiously tried changing a few more things, but nothing works.browser.cache.disk_cache_ssl
All these problems started with the most recent update of Tor for Lenny (oldstable) on 30 August, which is unfortunately in the frame for the genuine cert for add-ons.mozilla.org which was improperly issued to an imposter by DigiNotar. Among other things it wiped out my old /etc/tor/torrc which I had to try to carefully reconstruct. IMO, it is really disastrous when a security upgrade to a privacy tool actually degrades anonymity, but probably the Security Team would says its my own fault for not having figured out how to use Squeeze yet (because I can't get KDE to work, because I can't seem to get the nonfree firmware I need, and maybe also because that PC is running hot).
A few years ago, there was some reason why one should use socks4a rather than socks5, and even the most recent version of tor (for Lenny) suggests adding to /etc/privoxy/config the lines
Code: Select all
listen-address 127.0.0.1:8118
forward-socks4a / localhost:9050 .
Code: Select all
listen-address 127.0.0.1:8118
forward-socks5 / localhost:9050 .
@ anyone else is struggling with this:
You can check to see if privoxy is running and if not call
Code: Select all
/etc/init.d/privoxy start
Code: Select all
http://www.privoxy.org/config/
Code: Select all
sudo netstat -anp | grep tcp | sed 1d | column -t
@eric:
Do you also see a /var/run/tor/control on your system?
Would you feel comfortable being a bit more explicit about this?:
You are using Iceweasel/Firefox, right? (Not Google Chromium?) Version? What Debian? You have installed NoScript? Anything you can share about its configuration? When you do about:config and filter by "proxy", by "cache", or by "auth", what do you see?I have also disabled MUCH of caching in about:config
I get very inconsistent results. On two tests I did get the popup window saying
Code: Select all
A username and password are being requested by http://ip-check.info. The site says "IP-Check Realm"
Code: Select all
Name:
Password:
I may have a better guess about the nature of this "http authentication attack" now. I now think it is unrelated to both certificates and the yaha "http authentication attack" tool, which tries to guess default passwords in web servers.
The php script at ip-check.info definitely seems to be able to trigger some actions in vulnerable browsers, even if you are running NoScript and have configured Iceweasel/Firefox very conservatively (more than enough to "break" most functions, but sufficient to surf). My current guess is that the attack does indeed involve an "http password" function which seems to be impossible to disable, at least in older Iceweasel/Firefox. The /var/log/tor/log consistently shows two entries of form
Code: Select all
[warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed]
Code: Select all
ip-check.info/?lang=en
I cannot figure out why you are getting the green light but I am (mostly) not--- if you are willing, I would be grateful if you note similar notations in your Tor log, and so forth. Even if you simply try running the test several more times to see if you really do get a green light each time.
I have never gotten the same "unique identifier", and I hope the rejection of the request for a private address (can't figure out what it is) show that no "pseudocookie" is actually getting into my system.
But I am still very concerned, because deanonymity could have devastating consequences for me. And it appears to be possible that the script is able to execute a hidden http authentication window which is only intermittently visible.
There should be some way to deactivate this http authentication entirely, at least when using Tor. But unless someone sees something I'm missing, it may be that only the Debian Security Team can provide a fix for Lenny users.