Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

Torpark anonymous web browser: a good start that needs help

September 22nd, 2006 Posted by D Webber

Torpark is a version of Firefox for Windows with a built-in Tor network client. It’s designed to simplify anonymous web browsing. It’s a good start but doesn’t provide the degree of anonymity a true anonymous web browser should.

The Tor network attempts to anonymize communications in two ways: first it uses SSL to encrypt traffic between your Tor client and the Tor proxy servers. Your network administrator or ISP will be able to tell you’re using Tor, but won’t be able to see what content you’re accessing. Second, the tor proxy your communications exit from changes every few minutes, making tracking actions by IP address unreliable.

Normally to use Tor you have to obtain and install a Tor client then configure your browser to use it as a proxy. It’s not difficult to install Tor but you need admin rights . The benefit of Torpark is it integrates the client into Portable Firefox… admin rights or installation needed, plus you can run it from removable media like a USB flash drive.

So how does Torpark hold up for anonymous web browsing? Using a few basic sniffing tools and the fantastic Browser Spy tests at gemal.dk we took a quick look:

Basic configuration

The browser code is Firefox 1.5.0.7 (the latest when this article was written) and has all the normal configuration options of Firefox.

To help reduce traces on the local computer (and to help it run from flash media), the Firefox config options you’d expect to be disabled have been:

DNS

The regular Tor client functions as a Socks proxy, which is a generic proxy protocol. However, many web browsers and other apps don’t send DNS requests through Socks. Instead, name-to-IP translation is done using your local network’s DNS, meaning it can be tracked. So depending on your browser when you visit “www.naughtyfarmanimals.com” (or whatever site you want to hide from your employer/ ISP/ government) using the normal Tor client your network admin or ISP can’t see any pictures downloaded, but they could see that you’ve made a DNS request for that site, followed by lots of data downloaded from Tor servers.

To avoid that you need to use an HTTP proxy like Privoxy to make sure DNS requests are also sent through Tor. The standard Tor client download for Windows includes Prixovy, but again you need to administrator rights to install it that (see the TorFAQ for details).

Since Torpark has the Tor client built into Firefox, no separate Socks proxy is needed and there is no DNS leakage. I confirmed this by capturing local Torpark traffic using tcpdump and Wireshark: when Tor was enabled Torpark made no DNS requests to my network’s local DNS servers.

Start page

The start page in Torpark is set to www.google.com, so when you first fire up the browser you get a nice bunch of Google tracking cookies installed. The default cookie setting is to accept all cookies and keep them until Torpark is closed. Given the number of sites that use Adsense, Google Analytics and other Google products, this is more than enough for google to track which sites you visit, despite the IP anonymity provided by Tor. The Torpark start page should be set to blank and if you really wish to stay anonymous, uncheck “Allow sites to set cookies” in the browser’s privacy settings.

Flash

Torpark does not come with Flash Player installed. That’s good since Flash is widely used to leave a form of tracking cookie behind that is not cleared when Firefox exits. Flash can also gather other identifying information about you and your computer, including your real IP address.

Of course, the first time you visit a web site that uses Flash you are prompted to download Flash Player, but if you’re wary enough to be using Torpark in the first place hopefully you know better than to let untrusted sites run Flash. If some sites you use require flash, install the FlashBlock extension to selectively control which Flash animations can run and use the Flash Settings Manager to disable flash “local storage” and other unwanted capabilities.

Java and Javascript

Java and Javascript are both enabled in Torpark by default. Javascript interpreter is built into Firefox, but a Java virtual machine must already be installed on your machine for Java applets to run.

A malicious web site can use Javascript for various evil activities, including a crude form of port scanning of your local network. Java is capable of asking your machine what it’s real IP address regardless of which Tor server the request is sent through. If your machine uses a real (i.e. not RFC 1918) IP, a java applet can sent that information back to the originating server, defeating the anonymity of Tor.

Browsing without Javascript is becoming less viable as sites increasingly rely on things like Ajax. However you probably want to activate the NoScript extension (included with Torpark but disabled by default) to control which sites are allowed to run Javascript.

Java can usually be kept disabled and it should be if you want to stay anonymous when surfing untrusted web sites. Noscript can also control the use of Java applets on a site-by-site basis.

HTTP Headers

Torpark seems to send exactly the same HTTP request headers as normal Firefox: http_referer, User agent, operating system info, time zone, etc. are all there. Depending on your level paranoia, revealing your time zone, browser version and OS may be too much. It also give away info to hostile web sites that craft exploits based on your browser and OS to install malicious software.

Firefox extensions to the rescue again: consider installing Modify Headers or User Agent Switcher and alter the user-agent header to a different browser and operating system. However, keep in mind that any site allowed to run Javascript, Java or Flash can use those to obtain your real browser and OS information directly.

The http_referer header shows web site owners where you’ve been. Each time you click a link, your browser sends the URL the link was on in http_referer. Site owners record that information to see what site you were viewing before you came to their site. It also lets site owners contruct a “click trail” of how you navigate around their site.

You can’t just delete http_referer: many sites check it to prevent abuse such as direct linking to images. Deleting it causes interesting problems with many sites. To keep those sites happy, one trick that often works is to re-write http_referer to be the topmost URL of the current web site.

The Modify Headers Firefox extension can’t re-write headers yet, but an extension named RefControl can: install it and in RefControl’s options change the setting for “default for sites not listed” to “Forge: send the root of this site”. Web sites won’t be able to see what URL you clicked that brought you to them, and they will have a more difficult time tracking your navigation.

Conclusions

Torpark makes using the Tor network much more accessible and that’s a great accomplishment. However the claim about anonymous browsing is overstated. There is much more to anonymous web browsing than encryption and random IP addresses.

I was expecting at least some sanitization of HTTP headers, especially http_referer, and better default settings for the start page and cookies.

Fortunately, the flexibility of Firefox and the excellent work of individuals in the community writing Firefox extensions makes it fairly easy to turn the basic Torpark into the anonymous browser it claims to be:

  1. Change the start page to “blank” or to one that you trust
  2. Uncheck “Allow sites to set cookies”
  3. Activate the included NoScript extension to control which sites can use Java and Javascript.
  4. Install Modify Headers or User Agent Switcher and change your user-agent header to disguise your browser version and operating system.
  5. Install the RefControl extension to rewrite http_referer to be the base URL of the each web site.

By making these changes to the default Topark, the browser really can become a viable anonymous browser.

Update: Torpark is now XeroBank Browser and is much improved. My review is here .

Related posts:

Posted in Privacy |
Tags: , , ,

2 Responses to “Torpark anonymous web browser: a good start that needs help”:

  1. Tim Fehlman Says:
    September 26th, 2006 at 4:32 pm

    Even though Torpark is a portable application, there are many people who might be interested in trying it out who are not comfortable with a “no install” installation. Thus, I have created a Torpark installer and a step-by-step guide for using it.

    If anyone is interested, the installer and guide are available from http://www.dailycupoftech.com/?page_id=165.

  2. Torpark « smok050 Says:
    October 21st, 2006 at 9:55 am

    [...] Na stronie http://www.torrify.com/ znajduje się najnowsza wersja torpark 1.5.0.7 zawierająca podstawowe ustawienia i rozszerzenia. Można też zmienić je jak opisano na stronie http://advosys.ca/viewpoints/2006/09/torpark-quick-look/ Nie jest zawsze dostępna, więc postanowiłem opisać tutaj te zmiany. Mianowicie : [...]


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.