Audit polipo

A bunch of anonymity, privacy and security issues in Polipo were fixed in Christopher Davis’ branch (git://repo.or.cz/polipo.git) and never merged upstream.

Even if we have stopped using polipo in iceweasel (#5776 (closed)), we should check if these issues affect Tails… unless we replace polipo with privoxy? (#5379 (closed))

{{toc}}

dontIdentifyToClients

Christopher added the dontIdentifyToClients option (commits: 80b45940, be116b5, c78beb81) to fix bug #1082 on Tor Project’s Trac. When set to true, "Polipo tries to avoid transmitting local host name, port, and time zone".

1. hostname and port: Tails sets proxyName = "localhost" and proxyPort = 8118 just like the Tor Browser Bundle does => nothing critical could be leaked - at worse, leaking this information restricts the practical anonymity set to the best one Tails can try putting its users into => non-issue.
2. Leaking timezone information to the outside world would be much more annoying: Tails’ web browser has been trying to spoof a EN-US browser since 0.7 for a reason. However, that information can only be transmitted to a HTTP client connected to Polipo; practically speaking, such a client can be any non-SOCKS-aware applications shipped in Tails; most have other means to gather that information anyway, but e.g. untrusted JavaScript in the web browser might be used to access the aforementioned information and leak it => research how to fix this (probably by patching Polipo and pushing that patch upstream and/or to Debian; avoiding to ship Polipo at all would be even better, but we’re not here yet)

Tails Git devel branch sets UTC timezone for everybody, so the timezone leaking issue becomes much less relevant.

others?

Security issues that were not privacy-related have supposedly already been applied to the 1.0.4.1-1.1 polipo package shipped in Debian Squeeze. This should be double-checked, though => research.

Parent Task: #5769

Related issues

• Related to #5379 (closed)

Original created by @tails on 6115 (Redmine)