Insecure instructions for using ZeroNet with Tor Browser #84
Comments
|
Onion: Can requests to 127.0.0.1 be used to fingerprint the browser? / clearnet issue at Tor issue tracker, it seems that this was reported five years ago as a bug and connections to 127.0.0.1 were blocked by default 4 years ago. I encountered this issue by accident while searching for different information. |
|
Thanks for reporting. Is it possible to only allow clearnet connections to localhost on port 43110? If not doable in Firefox, perhaps it is possible to create an exception in Tor's torrc config file. |
If it is, I am not seeing the way to do that as setting "no proxy for" to My first thought before I opened this issue was making ZeroNet listen on 127.0.0.2, but I was still able to access everything on 127.0.0.1, I don't know if Firefox has special treatment for 127.* addresses. |
How to use ZeroNet in Tor browser? advices telling TB to not send traffic to 127.0.1 through Tor. While this is required for ZeroNet to work, this might also allow malicious sites to fetch content from other ports and allow fingerprinting users.
I am thinking of http://127.0.0.1:631 which is CUPS/printing web interface (often used in Linux, macOS), http://127.0.0.1:8080/ can be anything (IPFS uses it by default, I have Syncthing there, I think µTorrent also uses it for remote UI), transmission-daemon uses 9091 if I recall correctly.
The text was updated successfully, but these errors were encountered: