Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 920
    • Issues 920
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 21
    • Merge requests 21
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #6115
Closed
Open
Created Jul 18, 2013 by import-from-Redmine@import-from-Redmine

Audit polipo

Originally created by Tails on #6115 (Redmine)

A bunch of anonymity, privacy and security issues in Polipo were fixed in Christopher Davis’ branch (git://repo.or.cz/polipo.git) and never merged upstream.

Even if we have stopped using polipo in iceweasel (#5776 (closed)), we should check if these issues affect Tails… unless we replace polipo with privoxy? (#5379 (closed))

{{toc}}

dontIdentifyToClients

Christopher added the dontIdentifyToClients option (commits: 80b45940, be116b5, c78beb81) to fix bug #1082 on Tor Project’s Trac. When set to true, "Polipo tries to avoid transmitting local host name, port, and time zone".

  1. hostname and port: Tails sets proxyName = "localhost" and proxyPort = 8118 just like the Tor Browser Bundle does => nothing critical could be leaked - at worse, leaking this information restricts the practical anonymity set to the best one Tails can try putting its users into => non-issue.
  2. Leaking timezone information to the outside world would be much more annoying: Tails’ web browser has been trying to spoof a EN-US browser since 0.7 for a reason. However, that information can only be transmitted to a HTTP client connected to Polipo; practically speaking, such a client can be any non-SOCKS-aware applications shipped in Tails; most have other means to gather that information anyway, but e.g. untrusted JavaScript in the web browser might be used to access the aforementioned information and leak it => research how to fix this (probably by patching Polipo and pushing that patch upstream and/or to Debian; avoiding to ship Polipo at all would be even better, but we’re not here yet)

Tails Git devel branch sets UTC timezone for everybody, so the timezone leaking issue becomes much less relevant.

others?

Security issues that were not privacy-related have supposedly already been applied to the 1.0.4.1-1.1 polipo package shipped in Debian Squeeze. This should be double-checked, though => research.

Parent Task: #5769 (closed)

Related issues

  • Related to #5379 (closed)
Edited May 15, 2020 by import-from-Redmine
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking