Andrew Lewman wrote: > A) The Privoxies after 3.06 have a local "web control interface" > which we believe is a security risk. We think that remote websites can > probably reconfigure your privoxy via that interface, maybe even without > your noticing. If newer versions have the ability to disable this > interface, we can consider testing and subsequently including those with > our packages.
Can you provide a link to what you are talking about? I just searched on the terms/phrase "web control interface" with "privoxy" and only had a few matches, none of which seemed relevant. I also checked privoxy's online manual ( http://www.privoxy.org/user-manual/index.html , v 1.60 2009/03/21 12:58:53) and I didn't see anything about changing configuration that had substantively changed since I started using privoxy 3+ years ago. At *least* since that time there there has been the ability to edit action files via browser (web interface) if allowed in the configuration file. The configuration file itself had to be manually edited, and, at least in *nix, the config file could be owned by root and set to be not writeable by privoxy (assuming privoxy was running w/o privilege). You could also toggle "enable/disable" through privoxy's web interface if allowed in the config file. It should be noted that "disabling" merely turns off the application of the rules -- it does *not* affect packet routing. So if something was sent via Tor with privoxy "enabled," it is still sent through Tor with privoxy "disabled." I have specifically verified that using http://torcheck.xenobite.eu . So could you point me to what has changed since 3.0.6 that causes security concerns? Thanks. P.S. Oops, I just noticed others have requested a link. Did not mean to repeat. I believe the rest of what I said is relevant.