HelloZeroNet/Documentation

Insecure instructions for using ZeroNet with Tor Browser

Open

#84 opened on Sep 23, 2018

View on GitHub
 (3 comments) (0 reactions) (0 assignees)JavaScript (117 forks)github user discovery
help wanted

Repository metrics

Stars
 (79 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

How to use ZeroNet in Tor browser? advices telling TB to not send traffic to 127.0.1 through Tor. While this is required for ZeroNet to work, this might also allow malicious sites to fetch content from other ports and allow fingerprinting users.

I am thinking of http://127.0.0.1:631 which is CUPS/printing web interface (often used in Linux, macOS), http://127.0.0.1:8080/ can be anything (IPFS uses it by default, I have Syncthing there, I think µTorrent also uses it for remote UI), transmission-daemon uses 9091 if I recall correctly.

Contributor guide

Research direction
Review the FAQ documentation on ZeroNet with Tor Browser, identify the insecure instructions (disabling Tor for localhost), and propose a secure alternative with warnings about the risks of localhost exposure.
Tech stack
None
Domain
securitydocumentation
Issue type
Security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
Active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
Clear
Prerequisites
ZeroNetTor BrowserSecurity awareness
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60