Detecting Privoxy Users and Circumventing It
TOR is a pretty cool idea. It’s partially a rip off of a very old project that I helped out with in it’s inception with a bit of peer to peer built on top of it to help with anonymization. Anyway, very cool. Very slow, but very cool. From what I’ve been told it’s mostly for people looking for beastiality porn, but you get the idea. It’s got all kinds of applications. But it’s a little disconcerting that I don’t know if my users are hiding their origin IP addresses. Wouldn’t it be nice to be able to detect that?
So anyway, there I was, downloading the torbutton extention which requires Privoxy and TOR to be installed. Like a good little security guy I go and locate the current version of TOR which is thankfully bundled with Privoxy. I booted it up and after some wrestling I got it working. The first link I went to, however, was a tad puzzling. It was my own.
My own website has links to ads in it, which Privoxy so nicely kills with an error message letting me know why, and allowing me to go directly to the link. That link that allows me to bypass the Privoxy block was intriguing as it was just a modified URL (and a pretty easy one to reconstruct at that). So I threw up a little test script to detect privoxy and poof! I inserted a keyword that it blocks after a legitimate image with the modified URL. If it hits it, Privoxy is being used. If there’s an error because it’s not finding the correct image (because the modified URL doesn’t actually exist) you know they are safe. Now I can tell if users have it installed or not. This may be better than the chrome:// firefox extensions detection because I have a feeling that will get killed eventually.
September 12th, 2006 at 5:11 am
My guess is host countries are going to start harassing these anonymous proxies in a big way. It makes law enforcements job much harder. Most countries won’t outlaw the practice but with enough subpoenas, warrants, and associated server seizures (temporary as they may be) no one is going to want to run them. The free one’s are especially vulnerable. The paid servers may initially try to survive by allowing law enforcement to install traps so they can sniff traffic at will. But once that is known few people will want to use them.
I know there are legitimate uses for these services, I’ve used them myself. But when you have a high percentage of people using them illegally you can guarantee LE will take notice and the politicians will thump their chests and pass laws restricting them. The German TOR seizure is just the beginning.
September 12th, 2006 at 8:51 am
General purpose servers such as those being used by Tor cannot be shut down. Why? Because all traffic is encrypted so the State has no evidence against them. An of course there is the freedom of speech/information.
But even if in some country, let’s say North Korea, they decide to shut down the servers in their domain, no damage will be done since we are talking about a P2P architecture. Every user is a potential Tor relay server and the routing circuits are constructed in a random way. In the worst case scenario your traffic will be rerouted across the globe to access a neighbor network but that’s not the point. The point is that it WILL be rerouted
You can’t shut down P2P.
@RSnake: You may be able to detect whether the visitor is using Privoxy but you can’t be sure about his IP. I mean Tor operates in such way it is possible he IS using his real IP (the circuit is user-client -> user-server instead of user-client -> 3rd-server1 -> … -> 3rd-server-n -> www.target).
Also, I understand what you are saying but I haven’t been able to reproduce it using Tor+Privoxy as standalone applications (not using the Firefox Plugin).
September 12th, 2006 at 5:19 pm
I can’t comment on why you can’t see what I’m seeing… are you sure you’re actually using it (I tested inside firefox with torbutton). You should see the banners at the top and bottom of this page as being blocked if it’s working the way my install is.
And yes, you’re right, I currently don’t know a way to detect TOR clients, but I’m working on it.
I may be able to detect you if I know the name of your intranet server as seen in previous posts using Jeremiah’s CSS hack though - which might be enough.
September 13th, 2006 at 11:07 pm
heh, i’ve been using a very similar method to test for TOR for a while actually .-. .. works like a charm. http://maluc.sitesled.com/tortest.html
you can only access the .onion pseudo-TLD from a TOR network..
-maluc
September 13th, 2006 at 11:09 pm
auto-justifying sure does know how to add emphasis _-_
September 14th, 2006 at 8:30 am
That’s pretty tricky, I hadn’t seen that method. Pretty slick!
September 18th, 2006 at 2:48 pm
@Maluc
That test doesn’t work on my system, and i do have Tor.
I tryed put the FoxyProxy with the fullblown Tor client build into it. But it seems that the hostnames on which it runs all have the keyword: “tor” in it. Like these: “tor-proxy” & “anonymisa-tor.org” (real live examples)
One could filter them out.
September 18th, 2006 at 4:32 pm
hrm, that’s weird.. are you not able to load this website when you have tor enabled then? http://6sxoyfb3h2nvok2d.onion/ .. thats the link to it’s hidden wiki on the .onion TLD
If so, you’re probably using non-tor DNS servers then, and are thus not anonymous while doing so
.. i’m not sure of any way to disable the .onion domain via tor settings and it definitely defaults to on.
If that’s always the case, about the hostnames, then ya that could work too ^^ .. but although it may not return false negatives, you’ll still get some false positives - such as gator.com and tortilla.net
-maluc
December 20th, 2006 at 1:06 pm
[…] Well the old trick still works but I just wasn’t satisfied with that. I really like to break Privoxy for some reason. I have nothing against it, it just seems like a kludge to me. A Kludge that needs to be broken. So I decided to come up with another way to do the exact same thing, only in a trickier way. This time I used a technique stolen right out of Jeremiah’s handbook. I used CSS and JavaScript to detect if an embedded CSS file works or not. […]
January 18th, 2007 at 2:27 am
interesting
——————
http://privacy.emigrantas.com - all about privacy in the Internet
August 6th, 2007 at 11:46 am
Can we post to craigslist using TOR and Privoxy? Can anyone give the tips of using these with Craigslist posting so that I can post some ads on the board?
February 21st, 2008 at 10:40 pm
Hi Ashish,…I tried many things as Torpark,Vidalia,xB Browser and also many free proxies but it they didn’t work.I only recieved ghosts.Although some time I successfully posted a few ads in
“Chicago”,but it happend with dial up.
If anyone knowes the whole method for foreigners to post in US
cities,please tell me.I can even pay for it $$.
June 4th, 2008 at 5:37 pm
You could block .onions with privoxy easily enough using the same means it blocks ads. Or even router them to a non-existant proxy.
–iR