tor/privacy (socks5) option giving ssl error

Ileana ileana at fairieunderground.info
Tue Apr 2 23:12:45 EDT 2013


On Tue, 2 Apr 2013 22:36:51 -0400
Daniel Atallah <datallah at pidgin.im> wrote:

> On Tue, Apr 2, 2013 at 9:11 PM, Ileana
> <ileana at fairieunderground.info> wrote:
> > From my basic understanding, a tor/privacy setting should ensure:
> 
> All of my answers below apply to stock Pidgin when you select
> Tor/Privacy in the proxy settings- any third party plugins could
> change the behavior.
> 
> Some effort has been put into making XMPP "safe" from a privacy
> perspective; other protocols have issues - good patches are always
> welcome.

Well thanks for the effort.
> 
> > *no local dns lookups (perhaps as an options checkbox)
> > socks4 automatically does lookup at end...there is no option.
> > socks5 you have option for local or remote dns in the spec.  Most
> > tor users want remote, except in the case of TAILS a user might
> > handle the dns queeries locally(and then resolving them through for
> > instance tor's dns port).  I think the same side is to do them
> > remotely.
> 
> The libpurple DNS functionality will be blocked - anything that can be
> done through the proxy will be done, otherwise the functionality will
> fail (for things using the libpurple DNS API).
> 
> It's possible that protocols like gadu-gadu or sametime, which use
> external libraries to implement the protoco,l would make DNS requests
> without using the libpurple API.
> 
> It looks like Bonjour/Link-Local accounts will send stuff out on your
> local network, because that's how the protocol works.
> 
> > *real ip address never gets sent out
> 
> This should be the case for XMPP.
> 
> If libpurple/Pidgin is configured appropriately, it won't know what
> your external IP address is.
> 
> >
> > *no other system information gets sent out(kernel version, uname,
> > os, etc)
> 
> Your IRC account default settings contain some information from your
> OS user account, but you're free to change them.
> 
> See https://developer.pidgin.im/ticket/15295
> 
> There may be other issues for other protocols
> 
> >
> > *nothing that seems to be a unique identifier gets sent out upon
> > connect/reconnect. (i.e. ssl session ids, user agents/version, etc).
> 
> Of course "unique" things will be sent out - you're connecting to a IM
> account and your account name will be sent out (and possibly your
> password too depending on what you're connecting to).

Everyone disagrees about the "User Agent" issue and this has been a big
pain in the butt across applications from browsers to torrent to chat.
It seems XMPP/Pidgin does send out the timezone and pidgin
version/libpurple version. Seems like minor non-senstive stuff but it
does allow partitioning of the userspace.

> 
> >
> > *timestamps all converted to utc
> 
> I'm not sure if there are places where your timezone or information
> that can be used to deduce your timezone are sent out, but I don't
> consider this sensitive.
> 
> > *any functionality such as dcc where there is a direct connection to
> > the other client should either be disabled or also insure real ip is
> > not leaked.
> 
> This wouldn't be a reasonable assumption to make for protocols other
> than XMPP.
> 
> > I can't think of anything else off the top of my head, but I may
> > have missed something.
> >
> > If you are a developer and can point me to a link to the code that
> > handles the proxy settings, I would take a further look.
> 
> libpurple/proxy.c

Thanks for the info.  I will take a look at it.




More information about the Support mailing list