Potential Anonymity Leak

I think this plugin has a serious security/anonimity bug, while it makes you feel safe. The problem is that when you define rule, say for www.blah.com it works OK but if www.blah.com has images, or javascript (usualy traffic counters/analyzers) hosted on other, then defined in rule servers, these servers are detecting your IP and also a referrer without no problem... so anybody who uses traffic analyzing services can track his visitors whether they use FoxyProxy or not... I know the solution is not so trivial as you have to detect all the links on the page and redirect their connections through proxy - but anyway without this, plugin is unfinished...

Hi,

This concern has been discussed in great detail at the FAQ.

Thanks,
Eric

Can you please point more exactly where this problem is discussed?
Thank you.

From the Privacy section of the FAQ:

The topic has also been discussed (ad naseum) on these forums in the past. Do a search of them, or I can do one for you if you prefer.

Yes i found it...
Anyway sad, it will be much better if it would detect and download all images/scripts/frames etc and via the same proxy that is specified for the URL in addressbar. I.e. if pattern is for www.blah.com then ALL links on that page are going through same proxy (may be just temporarily add rules for those....)

This is scheduled for release 2.7 or so.

I think that this is more important than you are considering. I think you have created a dangerous trap for beginners.

I did what seemed logical (it still seems logical) and I hit this bug. This is not a big deal for me, I am just playing with this service. But it could literally be a life and death problem for others who need a proxy for anonymity.

Specifically, when I searched the Firefox add-on page for the word "proxy" FoxyProxy is the first add-on on the list that sounded right. I looked over the FoxyProxy web site pretty carefully and I missed any discussion of this problem. It was there, but it was not prominent enough to get my attention. And I am a native English speaker.

I saw that TOR recommended TORbutton. But I thought that FoxyProxy was a newer, more up to date version of TORbutton. And your graphics are nicer than the TORbutton page too.

I now see that a new user, unfamiliar with these systems, should definitely be using TORbutton. I think that FoxyProxy might be OK for an advanced user with special skills and needs -- someone who understands about this problem and knows how to circumvent it.

I think you need to make the warnings clearer and more prominent. It is possible that you could be getting people sent to jail or even killed with this product.

Hi,

Thank you for the concern. I've updated the home page so it points directly to the FAQ question, this thread, and the thread on the tor mailing list:

Please review and let me know if you think it is now more clear and prominent. If it's not, please offer suggestions on what and how to change.

Thanks,
Eric

I am going to say that it is newbies (like myself) that you need to warn, I think that experienced proxy users should be OK.

I did not find the "Firefox through Tor" link to be useful at all. This link drops you at the first thread on a long list of very technical and unrelated subjects. Unless the reader knows to look for threads featuring "Eric Jung" he is not going to even see this excellent discussion. The string "foxy proxy" is not in any of these posts. This is good info, but useless to a newbie unless someone points it out. Sorry.

Could I suggest you try to filter out the newbies among your new users? Instead of saying:

"what is foxyproxy?

* Live in Belarus, Burma, China, Cuba, Egypt, Iran, North Korea, Saudi Arabia, Syria, Thailand, Tunisia, Turkmenistan Uzbekistan, Vietnam, or one of the other nations who censor the internet?
* Can't get to MySpace from school?
* Can't get to GMail at work?

then foxyproxy is for you!"

perhaps you could say:

"what is foxyproxy?

* Want more detailed control of your proxy servers than simpler proxy plug-ins allow?
* Live in Belarus, Burma, China, Cuba, Egypt, Iran, North Korea, Saudi Arabia, Syria, Thailand, Tunisia, Turkmenistan Uzbekistan, Vietnam, or one of the other nations who censor the internet?
* Can't get to MySpace from school?
* Can't get to GMail at work?

then foxyproxy is for you!"

When you close up this hole, you could take out the extra line. Actually, someone else here says that you should say it like this:

"what is foxyproxy?

* Want more detailed control of your proxy servers than simpler plug-ins allow?
* Live in one of the nations that censor the internet?
* Can't get to MySpace from school?
* Can't get to GMail at work?

then foxyproxy is for you!"

Thanks. I have updated the link to point here.

I've also completely rewritten the faq question. Now the issue is discussed and demonstrated in plain English right in the FAQ instead of in other links that might be too technical for some.

Thanks. I've updated the page with similar text even though I don't really see what this has to do with privacy and anonymity. My question was whether or not the risk is now "more clear and prominent" as you stated it should be.

Your re-written faq really seems much clearer to me. I think this is a big improvement. I like this better than my suggestions.

Thanks. I've also added a link to the FAQ question on the download page: