Opened 3 months ago

Last modified 3 months ago

#2540 new defect

Disabling outproxy wont disable it

Reported by: anonymous maybe Owned by:
Priority: minor Milestone: undecided
Component: apps/i2ptunnel Version: 0.9.40
Keywords: Cc: Meeh
Parent Tickets: Sensitive: no

Description (last modified by anonymous maybe)

Now i have went to the tunnels i have and deleted all outproxy servers (false.i2p & tor-meeh) , and good thing it stopped connecting to clearnet

But here is the manipulation (good thing it happened):

http://zzz.i2p/topics/2726-anoncoin-i2p-connecting-to-google-cloudflare-should-router-console-eepsites-be-allowed-to-do-this#

it appears http://anoncoin.i2p/ is hosted on a different system running i2p then http://anoncoin.net where the Server tunnel for http://anoncoin.i2p/ is pointing towards http://anoncoin.net that is why there is clearly written "Please complete the security check to access anoncoin.net".

If the http://anoncoin.i2p/ and http://anoncoin.net/ is hosted on same system they can point server tunnel to local host that will solve the issue. If they are in different system they they can point to the Server tunnel to the Static IP to solve the issue.

By this my router tunnel will always connect to an outerproxy IP which is 193.150.121.66 :

https://www.infobyip.com/ip-193.150.121.66.html

No matter how many times i close/open the router.

Thats mean my router still has a persistent connection to that specific IP when im trying to connect to that website. and this is huge privacy flaw mostly its a tunnel fault to get it manipulated with that case mentioned above.

(check the uploaded image as well)

Subtickets

#2338: I2P router makes multiple requests through outproxy while its disabledclosed

Attachments (1)

outproxyflaw.png (49.0 KB) - added by anonymous maybe 3 months ago.

Download all attachments as: .zip

Change History (12)

Changed 3 months ago by anonymous maybe

Attachment: outproxyflaw.png added

comment:1 Changed 3 months ago by anonymous maybe

Description: modified (diff)

comment:2 Changed 3 months ago by zzz

Cc: Meeh added
Sensitive: unset

I don't understand this at all. Meeh runs both the outproxy and anoncoin. Perhaps they're on the same server? So you'll either connect to his outproxy, or if outproxy is disabled, connect to it directly, depending on what your browser settings are? Please try to explain again what you think our bug is?

comment:3 Changed 3 months ago by anonymous maybe

Add a subticket #2338 (I2P router makes multiple requests through outproxy while its disabled).

comment:4 Changed 3 months ago by anonymous maybe

So you'll either connect to his outproxy, or if outproxy is disabled, connect to it directly, depending on what your browser settings are?

The issue is my router should only be connected to .i2p without using outproxies because they are disabled/removed from my tunnel. Though this is not the case here the outproxy still acting as an active option for tunnel when its trying to resolve cloudflare captcha call through clearnet.

and how .i2p showing cloudflare captcha calling through clearnet is already mentioned in the OP scenario.

Simplifying:

my tunnel should call only .i2p and no outproxies to clearnet → i connected to .i2p domain but this domain uses a clearnet call on its front and my router should return in this case "this is an outproxy connection" or clearnet or whatever BUT since the domain ending with .i2p my router bypassed the request of a clearnet connection to my tunnel and my tunnel connected to it as if its configured to allow outproxy connection.

This mean when removing the outproxy from my tunnels , there is still possible way to make connection to the clearnet through the outproxy and the above manipulation method is one.

comment:5 Changed 3 months ago by zzz

Cannot reproduce. Set browser proxy config to route all through I2P, removed all entries from Outproxies and SSL Outproxies in i2ptunnel HTTP Proxy edit form, tried to access a clearnet http site, and got the expected error page:

Warning: No Outproxy Configured

Your request was for a site outside of I2P, but you have no HTTP outproxy configured. Please configure an outproxy in I2PTunnel.

Please provide instructions on how to reproduce.

comment:6 Changed 3 months ago by anonymous maybe

Please provide instructions on how to reproduce.

As mentioned in the main ticked + uploaded image. cant explain more how to get there.

But for the moment that server of anoncoin switched down, so you cant see the same image.

@meeh is the anoncoin & the I2P outproxy server where reacting on the same server? Please share with us your thoughts.

comment:7 Changed 3 months ago by Meeh

the anoncoin website was hosted by some former teammembers which don't anymoe, this was done at cloudflare or something. but afteer that stopped I've regain the DNS control but not had time to put the web up anywhere yet. I do not think it has had anything to do with the outproxy, ever. I at least can never recall that webpage being on the same server as the outproxy. The anc tunnel has been on a router that also has handled false.i2p traffic but it's just one of the multihome nodes and not the outproxy itself.

comment:8 Changed 3 months ago by Meeh

when anc was hosted by others at cloudflare or whatever, I think we ended up with a reverse proxy setup for the i2p frontend, so both used same. When I regain the control of the domain last week I made it use the old zonefile on my DNS servers which isn't updated. I tried make time to get it back up last week but I failed, so I will try to have it up before end of this week.

comment:9 Changed 3 months ago by Meeh

Try reproduce it now, if it don't work → close.

comment:10 Changed 3 months ago by zzz

Priority: criticalminor

comment:11 Changed 3 months ago by anonymous maybe

If you are asking me now to reproduce it then its not reproduceable anymore obviously.

But i need to test one thing, if reverse proxy of .i2p to clearnet going to make a connection with I2P-Outproxies while I2P-Outproxy disabled in the I2PTunnels then this is the whole point of this matter.

The Point is that disabling outproxy from user tunnels are vulnerable to be activated through the method above hence rendering user configurations useless.

If you happened to test that and found to be this is not happening , well feel free to close this.

Note: See TracTickets for help on using tickets.