I wrote a review of the original product last year and even created an enhanced version that improved privacy protections. Now so it’s time for an update to see what’s improved:

Basic configuration

When this article was written, XeroBank Browser was based on Firefox 2.0.0.4. That’s good because the previous Torpark product was stuck at 1.5.0.7 for many months, leaving users exposed to several security vulnerabilities discovered in that version of Firefox.

As with Torpark, XeroBank Browser strives to reduce info left behind on the host computer by changing the following standard Firefox config options:

• No disk cache
• No browser history
• No saved forms
• No saved passwords
• Download history removed upon successful download
• Cookies accepted from all sites (except yahoo.com) then deleted when the browser closes
• Checking for updates to Firefox, extensions and search engine options is also disabled.

DNS

As before, since Torpark has a Tor client built into the browser, no separate Socks proxy is needed to prevent leakage of DNS requested onto the local network. As confirmed confirmed this using tcpdump, all DNS requests are properly tunnelled out to Tor so the local network admin cannot trace where you are browsing by capturing DNS lookups.

Start page

In Torpark the browser automatically loaded www.google.com at startup, meaning you started off with several Google cookies that could be used to track you. This is fixed in XeroBank Browser: it now loads an info page at xerobank.com. Conceivably the folks at Xerobank could use this to install their own cookies so it’s still best to change this setting to start the browser with a blank page.

Flash and other plugins

The browser does not come with Flash Player installed, which is a good thing for both security and privacy. Flash can store a form of cookie that is not cleared when the browser exits. Flash can also be used to gather a great deal of other identifying information, including your actual IP address.

Java and Javascript are now both disabled by default in XeroBank… not by the Firefox options but rather by using the NoScript extension. NoScript was also included with Torpark, but was disabled by default, allowing Javascript and Java to run.

HTTP Headers

The browser seems to send exactly the same HTTP request headers as normal Firefox: http_referer, User agent, operating system info, etc. are all there. However, this time the PrefBar extension is installed with two options enabled on the toolbar: change user agent and disable loading of images. This lets you easily send a fake user agent to the web sever. Providing an easy way to disabling images is a nice touch… loading graphics-heavy pages through Tor can be painfully slow, so this provides a quick way to just see the text.

Though not enabled by default, PrefBar also provides a way to control sending of the http_referer header, which discloses to web site owners the previous site you were viewing before you came to their site.

The RefControl extension is better for controlling http_referer: in addition to enabling and disabling that header, RefControl allows you to forge the header to the top URL of the site you’re on, and optionally whitelist the referrer for sites you trust. Unfortunately, RefControl is not included with XeroBank Browser.

Conclusions

XeroBank Browser is an incremental improvement to the original Torpark. The default settings are much better at protecting privacy. Hopefully the product will also be kept up to date as new versions of Firefox and the Tor client are released, which Torpark unfortunately was not.

Torpark Enhanced: The shortcomings in the original Torpark were such that we created a version with better default settings and the RefControl extension and called it “Torpark Enhanced “. Now that XeroBank Browser uses the current version of Firefox, and has more sensible default settings there is no need for our enhanced version. Given the published vulnerabilities in Firefox 1.5.0.7 on which Torpark Enhanced was based, using it could even be dangerous. As such, Torpark Enhanced is no longer be available for download. Instead, download XeroBank Browser and install RefControl.

Related posts:

• Torpark anonymous web browser: a good start that needs help
• Torpark Enhanced
• Finding the real address of Tor clients

From the paper:

Rather than attempting to exploit weaknesses in Tor, we make use of technology that 99% of the people browsing the web will have enabled: Javascript and Flash. There are two techniques we used:

1. Causing a web-browser using Tor to "phone home", outside the Tor network
2. Causing a web-browser using Tor "phone home", inside the Tor network, and deliver uniquely-identifying about the client, such as the computer’s hostname and IP address

I recently discussed how Javascript, Flash and other components of the Tor-enabled web browser Torpark could be used to identify you, and also created an improved version of Torpark to improve anonymity.

The paper describes a man in the middle attack using a subverted Tor exit node to inject send Javascript and ultimately a Flash application to the victim. However any web site could easily use the same method without needing to run a Tor exit node.

Flash applications can make direct HTTP requests (i.e. not using the host browser’s Tor connection), so a web site can send a Flash application back to a torrified browser that will then connect directly to that same web site. Combine with a unique tracking cookie and bingo… the web site has just mapped the real IP and hostname of the Tor user.

Conclusions of the paper: turn off Flash, Javascript, and just about everything else, ensure your DNS requests are being tunneled through Tor (Torpark does this for you), use SSL where possible to prevent third party alteration of traffic, and use text-based browsers like Lynx when possible.

Related posts:

• Torpark Enhanced
• Torpark is now XeroBank Browser
• Torpark anonymous web browser: a good start that needs help

Also to save time and effort for those interested, I’ve put all the changes recommended in that post together into a self-extracting archive called “Torpark Enhanced”:

• Torpark Enhanced.exe (md5sum) Removed: see below

This is the Topark self-extracting archive from the official Torpark site with the following changes:

• Set the Torpark start page to blank.
• Unchecked firefox setting “Allow cookies”.
• Enabled the included NoScript extension to block Javascript, Java, flash and other plugins. You can selectively enable these on a site-by-site basis in the settings of the extension.
• Installed the Modify headers extension and configured it to change HTTP_USER_AGENT to Opera 9.0 on a Macintosh (“Opera/9.0 (Macintosh; PPC Mac OS X; U; en)”)
• Installed the RefControl extension and configured the default action to “FORGE: send root of this site”. You can selectively customize this on a site-by-site basis using the settings of the extension.

These changes make the Torpark browser much more effective at protecting privacy. No warranties though… use at your own risk.

Update: Torpark has been updated and renamed XeroBank Browser by the original authors. The default settings are much better so there is no longer a need for Torpark Enhanced. Please download XeroBank Browser instead.

Related posts:

• Torpark is now XeroBank Browser
• Torpark anonymous web browser: a good start that needs help
• Finding the real address of Tor clients

The Tor network attempts to anonymize communications in two ways: first it uses SSL to encrypt traffic between your Tor client and the Tor proxy servers. Your network administrator or ISP will be able to tell you’re using Tor, but won’t be able to see what content you’re accessing. Second, the tor proxy your communications exit from changes every few minutes, making tracking actions by IP address unreliable.

Normally to use Tor you have to obtain and install a Tor client then configure your browser to use it as a proxy. It’s not difficult to install Tor but you need admin rights . The benefit of Torpark is it integrates the client into Portable Firefox… admin rights or installation needed, plus you can run it from removable media like a USB flash drive.

So how does Torpark hold up for anonymous web browsing? Using a few basic sniffing tools and the fantastic Browser Spy tests at gemal.dk we took a quick look:

Basic configuration

The browser code is Firefox 1.5.0.7 (the latest when this article was written) and has all the normal configuration options of Firefox.

To help reduce traces on the local computer (and to help it run from flash media), the Firefox config options you’d expect to be disabled have been:

• No disk cache
• No browser history
• No saved forms
• No saved passwords
• Download history removed upon successful download
• Cookies deleted when Firefox closes

DNS

The regular Tor client functions as a Socks proxy, which is a generic proxy protocol. However, many web browsers and other apps don’t send DNS requests through Socks. Instead, name-to-IP translation is done using your local network’s DNS, meaning it can be tracked. So depending on your browser when you visit “www.naughtyfarmanimals.com” (or whatever site you want to hide from your employer/ ISP/ government) using the normal Tor client your network admin or ISP can’t see any pictures downloaded, but they could see that you’ve made a DNS request for that site, followed by lots of data downloaded from Tor servers.

To avoid that you need to use an HTTP proxy like Privoxy to make sure DNS requests are also sent through Tor. The standard Tor client download for Windows includes Prixovy, but again you need to administrator rights to install it that (see the TorFAQ for details).

Since Torpark has the Tor client built into Firefox, no separate Socks proxy is needed and there is no DNS leakage. I confirmed this by capturing local Torpark traffic using tcpdump and Wireshark: when Tor was enabled Torpark made no DNS requests to my network’s local DNS servers.

Start page

The start page in Torpark is set to www.google.com, so when you first fire up the browser you get a nice bunch of Google tracking cookies installed. The default cookie setting is to accept all cookies and keep them until Torpark is closed. Given the number of sites that use Adsense, Google Analytics and other Google products, this is more than enough for google to track which sites you visit, despite the IP anonymity provided by Tor. The Torpark start page should be set to blank and if you really wish to stay anonymous, uncheck “Allow sites to set cookies” in the browser’s privacy settings.

Flash

Torpark does not come with Flash Player installed. That’s good since Flash is widely used to leave a form of tracking cookie behind that is not cleared when Firefox exits. Flash can also gather other identifying information about you and your computer, including your real IP address.

Of course, the first time you visit a web site that uses Flash you are prompted to download Flash Player, but if you’re wary enough to be using Torpark in the first place hopefully you know better than to let untrusted sites run Flash. If some sites you use require flash, install the FlashBlock extension to selectively control which Flash animations can run and use the Flash Settings Manager to disable flash “local storage” and other unwanted capabilities.

Java and Javascript

Java and Javascript are both enabled in Torpark by default. Javascript interpreter is built into Firefox, but a Java virtual machine must already be installed on your machine for Java applets to run.

A malicious web site can use Javascript for various evil activities, including a crude form of port scanning of your local network. Java is capable of asking your machine what it’s real IP address regardless of which Tor server the request is sent through. If your machine uses a real (i.e. not RFC 1918) IP, a java applet can sent that information back to the originating server, defeating the anonymity of Tor.

Browsing without Javascript is becoming less viable as sites increasingly rely on things like Ajax. However you probably want to activate the NoScript extension (included with Torpark but disabled by default) to control which sites are allowed to run Javascript.

Java can usually be kept disabled and it should be if you want to stay anonymous when surfing untrusted web sites. Noscript can also control the use of Java applets on a site-by-site basis.

HTTP Headers

Torpark seems to send exactly the same HTTP request headers as normal Firefox: http_referer, User agent, operating system info, time zone, etc. are all there. Depending on your level paranoia, revealing your time zone, browser version and OS may be too much. It also give away info to hostile web sites that craft exploits based on your browser and OS to install malicious software.

Firefox extensions to the rescue again: consider installing Modify Headers or User Agent Switcher and alter the user-agent header to a different browser and operating system. However, keep in mind that any site allowed to run Javascript, Java or Flash can use those to obtain your real browser and OS information directly.

The http_referer header shows web site owners where you’ve been. Each time you click a link, your browser sends the URL the link was on in http_referer. Site owners record that information to see what site you were viewing before you came to their site. It also lets site owners contruct a “click trail” of how you navigate around their site.

You can’t just delete http_referer: many sites check it to prevent abuse such as direct linking to images. Deleting it causes interesting problems with many sites. To keep those sites happy, one trick that often works is to re-write http_referer to be the topmost URL of the current web site.

The Modify Headers Firefox extension can’t re-write headers yet, but an extension named RefControl can: install it and in RefControl’s options change the setting for “default for sites not listed” to “Forge: send the root of this site”. Web sites won’t be able to see what URL you clicked that brought you to them, and they will have a more difficult time tracking your navigation.

Conclusions

Torpark makes using the Tor network much more accessible and that’s a great accomplishment. However the claim about anonymous browsing is overstated. There is much more to anonymous web browsing than encryption and random IP addresses.

I was expecting at least some sanitization of HTTP headers, especially http_referer, and better default settings for the start page and cookies.

Fortunately, the flexibility of Firefox and the excellent work of individuals in the community writing Firefox extensions makes it fairly easy to turn the basic Torpark into the anonymous browser it claims to be:

1. Change the start page to “blank” or to one that you trust
2. Uncheck “Allow sites to set cookies”
3. Activate the included NoScript extension to control which sites can use Java and Javascript.
4. Install Modify Headers or User Agent Switcher and change your user-agent header to disguise your browser version and operating system.
5. Install the RefControl extension to rewrite http_referer to be the base URL of the each web site.

By making these changes to the default Topark, the browser really can become a viable anonymous browser.

Update: Torpark is now XeroBank Browser and is much improved. My review is here .

Related posts:

• Torpark is now XeroBank Browser
• Torpark Enhanced
• Finding the real address of Tor clients

If it goes forward it will be good news for consumers, though unfortunately the proposal would only apply to telcos and not all companies. Laws like this that embarrass and lower confidence in companies are a strong motivator to get them to better protect customer data.

The notification laws in many of the U.S. States has started to have a positive effect in reducing workers walking around with sensitive data on laptops and other accidents waiting to happen. I suspect all the publicity has also helped motivate other jurisdictions to introduce their own notification laws, and make it easier for such laws to be adopted.

All nations should have such laws. I downloaded the attrition data loss database and was dismayed to see see that of the 365 entries, only four were from Canada. There have been far more than that in this country, like the recent loss of data tapes in British Columbia. Unfortunately, Canadians only hear about breaches when the company involved is a multi-national subject to a U.S. notification law, or an auditor forces a government to come clean.

Of course, unauthorized disclosure of sensitive data has been going on for decades, even before computers. Breaches only seem like an epidemic now because of the recent laws. However with computer systems replacing human judgement in so many types of transactions, the damage that can be done using stolen personal data is now much greater than ever before.

Some will argue that it’s all excitement over nothing… that few of these events actually result in the data being used in “identify theft” and other fraud.

One problem with that thinking is it’s impossible to really measure resulting fraud… companies who’ve allowed a breach to occur aren’t required to report such things and have no reason to keep track of it. They’re also hardly likely to publicize such information even if they did track it. Also, misuse can occur months and years after the initial breach, possibly multiple times with the data trading hands many times over years.

Besides, when a breach concerns sensitive personal information like medical conditions, income or whether you’ve ever been on welfare, it’s the loss of privacy that matters.

Hopefully the EC proposal will be adopted and eventually expanded to cover more types of companies, and more places start compelling the disclosure of data breaches. Notification give those affected a chance to do things to protect themselves, and most importantly it motivates organizations to better protect their customer’s sensitive data.

Related posts:

• Attrition.org releases “data loss database”
• Notes on Secure Mississauga 2007
• U.S Commerce department loses 17 laptops a month?