Originally created by Tails on #6115 (Redmine)
A bunch of anonymity, privacy and security issues in Polipo were fixed in Christopher Davis’ branch (git://repo.or.cz/polipo.git) and never merged upstream.
Christopher added the
dontIdentifyToClients option (commits: 80b45940,
be116b5, c78beb81) to fix bug #1082 on Tor Project’s
Trac. When set to
true, "Polipo tries to avoid transmitting local host name, port, and
hostname and port: Tails sets
proxyName = "localhost"and
proxyPort = 8118just like the Tor Browser Bundle does => nothing critical could be leaked - at worse, leaking this information restricts the practical anonymity set to the best one Tails can try putting its users into => non-issue.
Tails Git devel branch sets UTC timezone for everybody, so the timezone leaking issue becomes much less relevant.
Security issues that were not privacy-related have supposedly already been applied to the 22.214.171.124-1.1 polipo package shipped in Debian Squeeze. This should be double-checked, though => research.
Parent Task: #5769
- Related to #5379 (closed)