Why your Browser is cheating on you

You’ve installed that proxy chain, you’ve done everything correctly, by the book—you’ve called up your favourite search engine, entered your favourite topic, and soon you’re clicking away on one link after another, sure in the knowledge that Big Brother doesn’t know what sites you’re visiting—right?—wrong!—some of those clicks will be putting a smile on Big Brother’s face. ... Masochistium Clickium Hic!

Putting your life on the line

For many people in the West privacy is something of a fashion accessory. But just imagine for a moment that you live somewhere else. Just imagine that you live in China. Your name is Ms. Li Yinping. You live in Majia Village, Shouguang City, Weifang Region. You’re a member of the Falun Gong, a Chinese religious movement, one that is greatly despised by the regime. If they find out that you’re a member then you stand a good chance of being tortured, and quite possibly executed. So imagine that the search you are about to make could cost you your life if you make a mistake, if you haven’t set up your proxy correctly (needless to say, if you’re actually living in China, don’t perform this search, just read what follows, and then scrub your browser cache when you’re finished!)

Now you’ve heard a rumour about Jiang Zemin's regime rigging an event involving self-immolation in Tiananmen Square to discredit the Falun Gong. First set up your browser and proxy so that all your browsing activities will make use of the proxy and any DNS requests you make will be resolved remotely (for example, if you’re using Tor, point your browser at Privoxy, and then point Privoxy at your Tor client).

Now start your browser and go to Google—let’s assume you’ve managed to get a line out to “www.google.com”, and you’re not restricted to “www.google.cn”. Now type the following into the Google search box “Self-Immolation Tiananmen Square”. Let’s examine a few links from the page of hits returned by Google. If the page you see is similar to the one we see, then you’ll find a link called “Falun Dafa Clearwisdom.net”. Click on it. When the html page downloads you’ll see something beginning with “After July 20, 1999, Jiang Zemin's faction launched a far-reaching campaign of disinformation to justify its persecution of Falun Gong”. Press the “back” button on your browser to return to Google. Let’s try the link entitled “[PDF] Investigation of the So-Called Self-Immolation in Tiananmen Square”. Click on it. When the pdf file downloads you’ll see something beginning with “Ever since the so-called self-immolation incident occurred in Tiananmen Square, the Chinese authorities' persecution of Falun Gong – a popular Qigong practice in China outlawed by the Jiang regime – has clearly intensified”. Go back to Google again.

Now what happens behind the scenes when you click on a link? When you requested the first page, your browser passed the DNS lookup request along the proxy chain, the IP address of the site was returned, the browser sent a request along the proxy chain to return the page, and finally the page was displayed in your browser. And similarly for the second request, the browser passed the DNS lookup request along the proxy chain, the IP address of the web site was returned, the browser sent a request along the proxy chain to return the file, and finally the file was displayed in your browser. Correct?

Did you miss the Sleight of Hand?

No, not correct! If you had a sentinel installed (and if privacy is important to you then you should never browse without one), then by now you’d have that sinking feeling in your stomach. And with good reason. When you clicked on the first link the sentinel would have sat there sphinx-like, not uttering a word. But when you clicked on the second link, corresponding to “www.upholdjustice.org/English.2/s_i_investigation.pdf”, the sentinel would have awakened from its slumbers and would have reported something like this:

Sentinel Output

IP: 166.111.232.19.2760
   >>
IP: 222.212.39.104.53
Data: A? www.upholdjustice.org

IP: 222.212.39.104.53
   >>
IP: 166.111.232.19.2760
Data: 1/0/0 A IP: 207.44.152.163

The first set of data represents a DNS request originating from port 2760 on your computer with IP address 166.111.232.19. The request is sent to port 53, the standard DNS port, on the computer acting as your ISP’s DNS server, with IP address 222.212.39.104. The request asks the DNS server to find the IP address of “www.upholdjustice.org”. The second set of data represents the reply from the DNS server, indicating that the IP address you requested is 207.44.152.163.

So the second DNS request did not go through your proxy. Instead it went to the DNS server at your local ISP—let’s call it “www.shouguang.cn”. Now this DNS server will do more than just look up the IP address corresponding to the web address. Like many DNS servers around the world it will, in addition, determine whether the web address lies on Big Brother’s blacklist. And, in the present case, “www.upholdjustice.org” is not a web site that any “patriotic” Chinese citizen would wish to visit!

But I thought Tor would warn me?

If you’re using the Tor network as your proxy then you will have been told that Tor warns you when DNS look-ups are done locally. Let’s take a look. Right-click on the TorCP icon, then select “Tools”, followed by “Message History”. A pop-up window called “Recent Log Messages” will appear. Now if Tor had detected a local DNS look-up then you would find in the log a message similar to the following:

[Warn] fetch_from_buf_socks(): Your application (using socks4 on port 14839) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead.

But, even though you have been using Privoxy as suggested, you will find no warning message in this case. So even though the DNS look-up has been local, Tor has not detected it. As far as Tor is concerned everything is working perfectly!

More to Adobe than meets the eye!

Let’s examine what’s gone wrong:

Conversation Piece

Browser: “Hey Adobe, you there?”

Adobe: “Yep, ready and waiting.”

Browser: “Well, User wants to display “www.upholdjustice.org/English.2/ s_i_investigation.pdf.”

Adobe: “Okay! I’m on my way…now, let’s see…this Windows machine must have an Internet connection…let’s have a look…okay, the default Internet connection is to ISP ‘www.shouguang.cn’…and here’s the address of its DNS server. Hi there DNS server. Need the IP address of ‘www.upholdjustice.org’.”

DNS Server: “The IP address you need is…wait for it…yes, it’s 207.44.152.163.”

Adobe: “Ta DNS.”

DNS Server: “Hey Big Brother, did you know that someone at IP 166.111.232.19 is trying to download something from ‘www.upholdjustice.org’?”

Big Brother: “No I didn’t. But I do now!”

Adobe: “Hmm…this browser seems to have some proxy settings… perhaps I should use them instead…hey there Proxy, can you fetch the contents of ‘www.upholdjustice.org/English.2/ s_i_investigation.pdf?”

Proxy: “Sure can do…coming…coming…here it is.”

Adobe: “Ta Proxy.”

Adobe: “Hey Browser. I’ve got what you were looking for. Just move over for a moment so that I can squeeze into your window and display this pdf.”

Browser: “Hey User. Deed done. Here’s that pdf you were looking for.”

Well that’s only a guess as to what’s happening. What we do know from the sentinel is that a local DNS look-up has been performed, but that the network traffic involved in fetching the pdf file passes through the proxy. Yet the proxy does not seem to be getting the IP address alone, as if that were the case Tor would produce a warning message.

Exactly what’s happening here we can’t be sure of without knowing the internal workings of Adobe. It seems that your Internet browser doesn’t fetch the pdf for you; it simply sub-contracts the task to Adobe. Apart from passing the request to Adobe at the beginning, and providing a window for Adobe to display the file at the end, your browser has done nothing. Adobe, like many software programs these days, is Internet savvy. Adobe seems to be bypassing the proxy when it comes to doing the DNS look-up. However, rather than just passing the IP address to the proxy, it seems to be passing the full request, so that the proxy does a remote DNS lookup before it fetches the pdf file (that’s the only explanation that seems to be consistent with the lack of a warning message from Tor).

So just think back on all those pdf files that you’ve downloaded over the years. Did you ever download anything that did not have “Approved by Big Brother” stamped on it? Well, for most people who use proxies the situation is not too bad: first, pdf files come up in web searches far less frequently than html pages (and if you select the html version of a pdf, when it’s available, then all will be well); second, most sites that—how shall we put it discreetly—contain material that Big Brother would not approve of are less likely than their “kosher” cousins to make use of pdfs. Nonetheless, if you’re doing a little research on privacy or on your regime’s shortcomings, then—as the above example illustrates—it won’t be long before you download an “inappropriate” pdf, thereby inviting Big Brother to “re-educate” you.

It was obvious, wasn’t it?

Once you think about it, it’s all rather obvious. If you had been using Adobe directly you would not have fallen into the trap: if you’d opened up Adobe, then before you started to type a web address into its Internet search box, you would have paused, and asked yourself, “How can I make Adobe use my proxy?” You’d have been looking to see if Adobe had any proxy options among its preferences, and, if not, then you’d be well on your way to socksifying it.

Now this problem is likely to occur whenever a browser calls some Internet enabled program in the background and then displays the results in the browser window. The vast majority of people who use proxies will assume that once they have set up their browser to use a proxy correctly, then anything that they do with the browser will also use the proxy correctly. And as web-based computing—a la Google—is becoming more and more common, the browser is becoming the interface for more and more applications, so this problem is likely to grow.

The only satisfactory solution is to ensure that either you (1) use a sentinel; or (2) use a firewall to block connections to IP addresses other than that of your proxy for all outbound traffic.

How to download PDFS using a Proxy

Now different versions of Adobe may have different preferences, so we’ll deal here with Adobe Reader v7. Open up Adobe and then select in turn the following menu items:

  • Edit => Preferences => Internet => Internet Settings

The “Internet Properties” window that appears is the standard set of Internet property tabs that you get when you select “Internet Options” from the Control Panel. This version of Adobe has no preferences to directly use a proxy.

It’s possible to change the settings of your default Internet connection so as to use a proxy. Select the “Connection” tab, select the default Internet connection, click on the “Settings” button, tick the “Use a proxy server for this connection” check box under the “Proxy server” sub-heading, and then fill in the “Address” and “Port” fields with the values used by your proxy server.

Now, we’ve found that setting up a proxy in this manner works with other Internet enabled software, but for some reason it doesn’t work with Adobe. When we tried it our sentinel still recorded the local DNS look-up going out the door to our ISP’s DNS server. Adobe seems to ignore the proxy settings and just use the default Internet connection, as is. But try it out, it might work for you—just make sure you’ve got a means to verify that it is working correctly.

The alternative is to socksify Adobe, using a product like “SocksCap”, available here, or “FreeCap”, available here (we’ll explain more about socksification another day, but these products are easy to install and to use). We’ve tried “SocksCap” with Adobe, and it works fine, with our sentinel showing no DNS leakage. Just start up Adobe from within the SocksCap window, then open your browser and start browsing (but, as always, use a sentinel to verify that everything is working as intended).

Postscript

And as to Ms. Li Yinping? Yes, there was a real Ms. Li Yinping. And yes, she used to live in Majia Village, Shouguang City, Weifang Region, People’s Republic of China. But Li was a member of the Falun Gong, just an ordinary member, peacefully practising her religion. She couldn’t even be called a dissident for she had never protested against the regime or its edicts. But in June 2001 she was arrested by the local police, and after being tortured for several days with electric batons she died. She remains just another statistic amongst the millions of people who have been tortured and executed for displeasing the regime since the founding of The People’s Republic of China.

Tiffium & Morphium – Bigus Brutium-Absentium Zonium

Cyber roads, take me HOME
To the page where I came from
Freedom's Fire, my desire
Take me home, cyber roads.