Opened 8 years ago

Closed 8 years ago

Last modified 6 years ago

#2634 closed defect (wontfix)

unable to use windows update functionality with tor enabled

Reported by: marshall_banana Owned by: erinn
Priority: Medium Milestone: Tor: unspecified
Component: Applications/Tor bundles/installation Version: Vidalia 0.2.10
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

i have a really wooooonderful bug for you ;-)

first: i'm currently using windows 7 x64 ultimate SP1 and the vidalia bundle (vidalia-0.2.10, tor-0.2.2.21-alpha, polipo)...
for a long while now i was unable to use the windows update functionality: updates kept being stuck at normally 45% and wouldn't download... i found out that i had to stop the vidalia-progs and remove the tor-entries from the iexplore internet options, reset bits/windows update by deleting the "download" and "datastore" folders from windows softwaredistribution folder and then restart the BITS and windows update services (WAU) to be able to use it again...

the eventlog has some errors in the BITS log, i will paste one at the end of this text (always the same errors, just different files it tries to download)...
somehow the bits client doesn't seem to be able to download via tor. i wasn't able to find a way to prevent WAU from using the proxy without the abovementioned way.

i wasn't able to manually alter the proxy-settings of the BITS-jobs using bitsadmin or the powershell commandlets because the WAU jobs run in system context and can't be modified from admin context.

using netsh to reset the winhttp proxy didn't help either, it always said "direct connection", but bits used the proxy.

i have "*.update.microsoft.com" in the trusted sites as well as in the exeptions of the iexplore-proxy-settings, didn't help...

the great error-message doesn't tell what kind of http feature it needs or anything, so any advise how to set tor as proxy in iexplore AND be able to use WAU??

cheers

marshall banana

Log Name: Microsoft-Windows-Bits-Client/Operational
Source: Microsoft-Windows-Bits-Client
Date: 27.02.2011 01:42:31
Event ID: 202
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: <censored/>
Description:
While transferring WU Client Download, BITS encountered error 0x8020001B using 127.0.0.1:8118 as the HTTP proxy server. The web server or proxy server does not support an HTTP feature required by BITS. This problem can only be corrected by the adminstrator of the web server or proxy server. Details: {job: WU Client Download}, {owner: NT AUTHORITY\SYSTEM}, {jobId: {fc727bf8-63ce-47a9-b47c-695a32ed2c4a}}, {url: /msdownload/update/software/updt/2011/02/windows6.1-kb2484033-x64_c4162373438c27c520af2e40ca1d51bae3266b22.psf}, {xferId: {ff691247-91df-4935-b657-8ecd0ae32ff5}}, {proxyServer: 127.0.0.1:8118}, {hr: 0x8020001B}, {urlContentLength: 17521579}, {urlHttpVersion: HTTP/1.1}, {urlRange: }
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Bits-Client" Guid="{EF1CC15B-46C1-414E-BB95-E76B077BD51E}" />
<EventID>202</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2011-02-27T00:42:31.857123800Z" />
<EventRecordID>14766</EventRecordID>
<Correlation ActivityID="{FF691247-91DF-4935-B657-8ECD0AE32FF5}" />
<Execution ProcessID="1048" ThreadID="1576" />
<Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
<Computer>censored</Computer>
<Security UserID="censored" />

</System>
<EventData>

<Data Name="jobName">WU Client Download</Data>
<Data Name="jobOwner">NT AUTHORITY\SYSTEM</Data>
<Data Name="jobId">{FC727BF8-63CE-47A9-B47C-695A32ED2C4A}</Data>
<Data Name="url">/msdownload/update/software/updt/2011/02/windows6.1-kb2484033-x64_c4162373438c27c520af2e40ca1d51bae3266b22.psf</Data>
<Data Name="xferId">{FF691247-91DF-4935-B657-8ECD0AE32FF5}</Data>
<Data Name="proxy">127.0.0.1:8118</Data>
<Data Name="hr">2149580827</Data>
<Data Name="fileLength">17521579</Data>
<Data Name="HTTPVersion">HTTP/1.1</Data>
<Data Name="URLRange">
</Data>

</EventData>

</Event>

Child Tickets

Change History (2)

comment:1 Changed 8 years ago by rransom

Resolution: wontfix
Status: newclosed

Internet Explorer is not safe to use with Tor. Use Firefox with Torbutton instead.

comment:2 in reply to:  1 Changed 6 years ago by badon

Replying to rransom:

Internet Explorer is not safe to use with Tor. Use Firefox with Torbutton instead.

I registered just to comment on this. Actually, nothing is safe to use with Tor. To deter advanced users from using anything other than Firefox with Torbutton (replaced by the Tor Browser Bundle) is ignorant of use cases that can benefit from Tor that don't involve mundane web browsing. For example, if a whistleblower needed to hide his location, but still use a computer + LAN to continue his work, Tor Browser Bundle would not be adequate, and his location would be quickly targeted by a drone missile as soon as he tries to run Windows Update.

The most common use case is anonymity, which the Tor Browser Bundle tries to server, and the Tor Project discourages novices from trying to do anything else with Tor. But, for people with other use cases, and arguably more important ones like the aforementioned whistleblower, there is a way to make Tor reasonably safe for the minimum of hiding a location. I wrote an article titled "10 steps to make Tor safer with pfSense", here:

https://www.livebusinesschat.com/smf/index.php?topic=5410.0

Essentially, the only thing that setup attempts to do is block anything that's not going through a Tor bridge. Using a bridge conceals Tor usage, which will make it harder for an adversary to narrow down someone's location just by looking for Tor users. From there, anything that needs to be used will fail safe instead of fail deadly. Instead of Windows Update luring the bad guys to your base on the moon, it simply won't work until it is configured correctly.

I just did a startpage.com search for the follow:

"windows update" tor

...and it brought me here in the first 2 results. Clearly, there is need for more than just basic anonymity when web browsing, especially for a person who is not anonymous, and possibly already vulnerable to being targeted. Simply because there's some web browser that's better than some other web browser is not a legitimate reason to close this bug as wontfix - that's not the issue here! Although this may not be a problem the Tor Project can solve via a bug report on Tor, but certainly it is solvable, and shouldn't be dismissed so abruptly.

I'm looking for a solution myself, and I'm surprised at how difficult this is. Not even Proxifier can reroute Windows Update traffic through a proxy, but lucky for me, pfSense blocked it from revealing my location. Dare I say that Windows Update is DESIGNED to be a tool for locating people? marshall_banana, if you can discuss this issue elsewhere away from the Tor bug tracking system, let's do.

Note: pfSense blocks Tor Browser Bundle's DNS leak bug, which could have been catastrophic for some people. pfSense might be something that ought to be recommended together with TBB, if you want TBB to be safe, or at least safer.

Note: See TracTickets for help on using tickets.