+ Reply to Thread
Results 1 to 6 of 6

Thread: Little Trick To Improve Privacy When Using Proxies Extensions On FF

  1. #1
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581

    Little Trick To Improve Privacy When Using Proxies Extensions On FF

    I recently was testing different proxies ("vpn"...) extensions on FF, and I realized that sometimes, while launching and just after, the browser was able to perform some direct internet conections, bypassing the proxy extension in use.

    This is quite bad, because this allows some kind of correlation attack defeating the privacy/anonymity purpose of proxy usage.


    This behavior is linked to a 4 year old FF bug.



    But there is a workaround to this issue, consisting in setting up a "proxy kill switch": Settings -> Network settings and here, define a fake local proxy (such as 127.0.0.1: <random non used port>).

    So, before the proxy extension kicks in, all internet connection will be blocked and no leak bypassing the proxy will happen.


    I have not tested whether the same issue appears on Chrome.
    Last edited by Renk; 01.09.22 at 16:29.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Mon (14.09.22) , Instab (02.09.22) , anon (02.09.22) , Rupel89yt (01.09.22) , hazz030 (01.09.22) , JohnareyouOK (01.09.22)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Nice catch. Did you try passing -offline to firefox.exe? This sets offline mode very early on startup, so it should also work and would be a cleaner solution if it does. Also, 0.0.0.0 is a better choice for the fake proxy on Windows as it will always fail immediately. (And this method can also be used to dupe a lot of software into not verifying your clandestine unauthorized pirate illegal registration data )

    Chrome has no offline mode, except for individual tabs and if the developer console is open. Adding one or more of these to the command line may be equivalent in this scenario.

    Code:
    --disable-background-networking
    --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1"
    --proxy-server="socks5://0.0.0.0:1080"
    Note I haven't used Chrome in two years Its network stack was moved to a separate process at some point, so the parameters above may have changed names or no longer exist. You may have to experiment and check for side effects...
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  4. Who Said Thanks:

    Renk (12.09.22)

  5. #3

    Join Date
    16.01.10
    Location
    Mars
    P2P Client
    Nokia 6310
    Posts
    61
    Activity Longevity
    0/20 17/20
    Today Posts
    0/5 sssssss61
    Quote Originally Posted by anon View Post
    Nice catch. Did you try passing -offline to firefox.exe? This sets offline mode very early on startup, so it should also work and would be a cleaner solution if it does. Also, 0.0.0.0 is a better choice for the fake proxy on Windows as it will always fail immediately. (And this method can also be used to dupe a lot of software into not verifying your clandestine unauthorized pirate illegal registration data )

    Chrome has no offline mode, except for individual tabs and if the developer console is open. Adding one or more of these to the command line may be equivalent in this scenario.

    Code:
    --disable-background-networking
    --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1"
    --proxy-server="socks5://0.0.0.0:1080"
    Note I haven't used Chrome in two years Its network stack was moved to a separate process at some point, so the parameters above may have changed names or no longer exist. You may have to experiment and check for side effects...
    how the heck do you know all these small stuff anon.... did you read all the source code or something?
    Reply With QuoteReply With Quote
    Thanks

  6. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Not all of it, just the relevant parts. For Chromium in particular, command line switches are neatly listed and explained in just a few files dedicated exclusively to that... and documentation exists, too.

    https://www.chromium.org/developers/...k/socks-proxy/
    https://chromium.googlesource.com/ch.../dns/README.md
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  7. #5
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by anon View Post
    Nice catch. Did you try passing -offline to firefox?exe? This sets offline mode very early on startup, so it should also work and would be a cleaner solution if it does.
    I tested that too. It's indeed a cleaner solution, but less convenient for me: I always have after aunch to click <File> then to uncheck <work offline> to be able to browse the web. The "proxy" solution doesn't need this 2 click.

    But what made me I definitely prefered the "proxy" solution is that this solution protects me throughout the whote session. In particular, I realized that this method fixes the DnsLeak problem (I previously wrote about here) encountered when using proxy alongside some extensions or when checking some extension's option, such that canonical names uncloacking in uBlockO.



    Also, 0.0.0.0 is a better choice for the fake proxy on Windows as it will always fail immediately. (And this method can also be used to dupe a lot of software into not verifying your clandestine unauthorized pirate illegal registration data )
    Definitely, and after reading your post I adopted this solution.

    (For those still not convinced that using 0.0.0.0 in this context and 127.0.0.1 are very different things, just test it in pinging 127.0.0.1:<fake port> and 0.0.0.0:<fake port>).

    It's just I sometimes hesitate to use 0.0.0.0 because of it's polysemia, as it means "nothing" in some contexts, and "every IP" in others....
    Last edited by Renk; 13.09.22 at 00:07.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  8. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Quote Originally Posted by Renk View Post
    I tested that too. It's indeed a cleaner solution, but less convenient for me: I always have after aunch to click <File> then to uncheck <work offline> to be able to browse the web. The "proxy" solution doesn't need this 2 click.
    Decisions, decisions! Firefox is the only browser that still has a fully functional offline mode, and I thought I'd show some love for it before Mozilla removes it arguing that "according telemetry data only 0.87% of installs used this feature in the last 3 months".

    But what made me I definitely prefered the "proxy" solution is that this solution protects me throughout the whote session. In particular, I realized that this method fixes the DnsLeak problem (I previously wrote about here) encountered when using proxy alongside some extensions or when checking some extension's option, such that canonical names uncloacking in uBlockO.
    I wonder if there's a specific reason I didn't recommend network.dns.disabled in that thread... but since the fake proxy catches both startup leaks and this, it would be the better way in any case.

    Spoiler For some reason I didn't mention these there either...:
    Code:
    REGEDIT4
    
    ; Disable multicast DNS
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
    "EnableMulticast"=dword:00000000
    
    ; Disable Smart Multi-Homed Name Resolution (Windows 8.x and above)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
    "DisableSmartNameResolution"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
    "DisableParallelAandAAAA"=dword:00000001
    
    ; Disable Chromium built-in DNS client
    [HKEY_LOCAL_MACHINE\Software\Policies\Chromium]
    "BuiltInDnsClientEnabled"=dword:00000000

    It's just I sometimes hesitate to use 0.0.0.0 because of it's polysemia, as it means "nothing" in some contexts, and "every IP" in others....
    And also "this computer", as far as DHCP and the Unix network stack are concerned.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  9. Who Said Thanks:

    Renk (13.09.22)

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •