Cenzic 232 Patent
Paid Advertising
web application security lab

Detecting Privoxy Users and Circumventing It

TOR is a pretty cool idea. It’s partially a rip off of a very old project that I helped out with in it’s inception with a bit of peer to peer built on top of it to help with anonymization. Anyway, very cool. Very slow, but very cool. From what I’ve been told it’s mostly for people looking for beastiality porn, but you get the idea. It’s got all kinds of applications. But it’s a little disconcerting that I don’t know if my users are hiding their origin IP addresses. Wouldn’t it be nice to be able to detect that?

So anyway, there I was, downloading the torbutton extention which requires Privoxy and TOR to be installed. Like a good little security guy I go and locate the current version of TOR which is thankfully bundled with Privoxy. I booted it up and after some wrestling I got it working. The first link I went to, however, was a tad puzzling. It was my own.

My own website has links to ads in it, which Privoxy so nicely kills with an error message letting me know why, and allowing me to go directly to the link. That link that allows me to bypass the Privoxy block was intriguing as it was just a modified URL (and a pretty easy one to reconstruct at that). So I threw up a little test script to detect privoxy and poof! I inserted a keyword that it blocks after a legitimate image with the modified URL. If it hits it, Privoxy is being used. If there’s an error because it’s not finding the correct image (because the modified URL doesn’t actually exist) you know they are safe. Now I can tell if users have it installed or not. This may be better than the chrome:// firefox extensions detection because I have a feeling that will get killed eventually.

13 Responses to “Detecting Privoxy Users and Circumventing It”

  1. John Herron Says:

    My guess is host countries are going to start harassing these anonymous proxies in a big way. It makes law enforcements job much harder. Most countries won’t outlaw the practice but with enough subpoenas, warrants, and associated server seizures (temporary as they may be) no one is going to want to run them. The free one’s are especially vulnerable. The paid servers may initially try to survive by allowing law enforcement to install traps so they can sniff traffic at will. But once that is known few people will want to use them.

    I know there are legitimate uses for these services, I’ve used them myself. But when you have a high percentage of people using them illegally you can guarantee LE will take notice and the politicians will thump their chests and pass laws restricting them. The German TOR seizure is just the beginning.

  2. Legionnaire Says:

    General purpose servers such as those being used by Tor cannot be shut down. Why? Because all traffic is encrypted so the State has no evidence against them. An of course there is the freedom of speech/information.

    But even if in some country, let’s say North Korea, they decide to shut down the servers in their domain, no damage will be done since we are talking about a P2P architecture. Every user is a potential Tor relay server and the routing circuits are constructed in a random way. In the worst case scenario your traffic will be rerouted across the globe to access a neighbor network but that’s not the point. The point is that it WILL be rerouted :)

    You can’t shut down P2P.

    @RSnake: You may be able to detect whether the visitor is using Privoxy but you can’t be sure about his IP. I mean Tor operates in such way it is possible he IS using his real IP (the circuit is user-client -> user-server instead of user-client -> 3rd-server1 -> … -> 3rd-server-n -> www.target).

    Also, I understand what you are saying but I haven’t been able to reproduce it using Tor+Privoxy as standalone applications (not using the Firefox Plugin).

  3. RSnake Says:

    I can’t comment on why you can’t see what I’m seeing… are you sure you’re actually using it (I tested inside firefox with torbutton). You should see the banners at the top and bottom of this page as being blocked if it’s working the way my install is.

    And yes, you’re right, I currently don’t know a way to detect TOR clients, but I’m working on it. ;) I may be able to detect you if I know the name of your intranet server as seen in previous posts using Jeremiah’s CSS hack though - which might be enough.

  4. maluc Says:

    heh, i’ve been using a very similar method to test for TOR for a while actually .-. .. works like a charm. http://maluc.sitesled.com/tortest.html

    you can only access the .onion pseudo-TLD from a TOR network..

    -maluc

  5. maluc Says:

    auto-justifying sure does know how to add emphasis _-_

  6. RSnake Says:

    That’s pretty tricky, I hadn’t seen that method. Pretty slick!

  7. jungsonn Says:

    @Maluc

    That test doesn’t work on my system, and i do have Tor.

    I tryed put the FoxyProxy with the fullblown Tor client build into it. But it seems that the hostnames on which it runs all have the keyword: “tor” in it. Like these: “tor-proxy” & “anonymisa-tor.org” (real live examples)

    One could filter them out.

  8. maluc Says:

    hrm, that’s weird.. are you not able to load this website when you have tor enabled then? http://6sxoyfb3h2nvok2d.onion/ .. thats the link to it’s hidden wiki on the .onion TLD

    If so, you’re probably using non-tor DNS servers then, and are thus not anonymous while doing so :x .. i’m not sure of any way to disable the .onion domain via tor settings and it definitely defaults to on.

    If that’s always the case, about the hostnames, then ya that could work too ^^ .. but although it may not return false negatives, you’ll still get some false positives - such as gator.com and tortilla.net

    -maluc

  9. ha.ckers.org web application security lab - Archive » Detecting Privoxy Part II Says:

    […] Well the old trick still works but I just wasn’t satisfied with that. I really like to break Privoxy for some reason. I have nothing against it, it just seems like a kludge to me. A Kludge that needs to be broken. So I decided to come up with another way to do the exact same thing, only in a trickier way. This time I used a technique stolen right out of Jeremiah’s handbook. I used CSS and JavaScript to detect if an embedded CSS file works or not. […]

  10. Darix Says:

    interesting

    ——————
    http://privacy.emigrantas.com - all about privacy in the Internet

  11. Ashish Says:

    Can we post to craigslist using TOR and Privoxy? Can anyone give the tips of using these with Craigslist posting so that I can post some ads on the board?

  12. Sanjay Says:

    Hi Ashish,…I tried many things as Torpark,Vidalia,xB Browser and also many free proxies but it they didn’t work.I only recieved ghosts.Although some time I successfully posted a few ads in
    “Chicago”,but it happend with dial up.
    If anyone knowes the whole method for foreigners to post in US
    cities,please tell me.I can even pay for it $$.

  13. iR Says:

    You could block .onions with privoxy easily enough using the same means it blocks ads. Or even router them to a non-existant proxy.
    –iR