You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Serious security issue: the proxy option is only used by some connections. This is the netstat of a session: java 123 user 0t0 TCP myhostnme:50300->lhr25s07-in-f1.1e100.net http (ESTAB) java 123 user 0t0 TCP localhost:50105->localhost 8118 (ESTAB) java 123 user 0t0 TCP myhostnme:32365->lhr25s07-in-f1.1e100.net https (ESTAB) java 123 user 0t0 TCP myhostnme:32366->lhr25s07-in-f1.1e100.net https (ESTAB) java 123 user 0t0 TCP myhostnme:32367->lhr25s07-in-f1.1e100.net https (ESTAB) java 123 user 0t0 TCP myhostnme:54313->lhr25s07-in-f1.1e100.net http (ESTAB) java 123 user 0t0 TCP localhost:50105->localhost 8118 (CLOSE_WAIT)
Notice all the connections directly from myhostnme to google. Only two connections actually use the proxy.
Also, it's very insecure to have users create a network.cfg file, and then have to trust/hope that it will be found and used. This exposes all real IPs of all users the first time the program executes, because the credentials.cfg must be created first, so that network.cfg can be put in the same directory for the next run. The format of credentials.cfg is also undocumented, so even cautious users have no way of pre-empting the leak.
At a bare minimum, there needs to be a commandline switch so a user can dictate that everything fail if a proxy connection is not established for any reason.
The text was updated successfully, but these errors were encountered:
Serious security issue: the proxy option is only used by some connections. This is the netstat of a session:
java 123 user 0t0 TCP myhostnme:50300->lhr25s07-in-f1.1e100.net http (ESTAB) java 123 user 0t0 TCP localhost:50105->localhost 8118 (ESTAB) java 123 user 0t0 TCP myhostnme:32365->lhr25s07-in-f1.1e100.net https (ESTAB) java 123 user 0t0 TCP myhostnme:32366->lhr25s07-in-f1.1e100.net https (ESTAB) java 123 user 0t0 TCP myhostnme:32367->lhr25s07-in-f1.1e100.net https (ESTAB) java 123 user 0t0 TCP myhostnme:54313->lhr25s07-in-f1.1e100.net http (ESTAB) java 123 user 0t0 TCP localhost:50105->localhost 8118 (CLOSE_WAIT)Notice all the connections directly from myhostnme to google. Only two connections actually use the proxy.
Also, it's very insecure to have users create a network.cfg file, and then have to trust/hope that it will be found and used. This exposes all real IPs of all users the first time the program executes, because the credentials.cfg must be created first, so that network.cfg can be put in the same directory for the next run. The format of credentials.cfg is also undocumented, so even cautious users have no way of pre-empting the leak.
At a bare minimum, there needs to be a commandline switch so a user can dictate that everything fail if a proxy connection is not established for any reason.
The text was updated successfully, but these errors were encountered: