Using Tor Browser, can a website (rogue or otherwise), or in fact an exit node, expose you by fishing for local resources:
example:
sending a request to: 127.0.0.1/yourlocalwebserver
and then monitoring the response with javascript ?
Hope I’m being clear. Putting it another way, can a site or exit node can ‘scan’ (not quite the right word) for services running on the client end and get some information that way about the client ?
Thanks
Everything I’ve read states that Tor is for anonymity. Security is up to your AV.
So if you go to a rogue site (say phishing) then you are vulnerable to phishing if you fall for the scam. If you go to a malware site and it asks for some sort of clicking action like a download for this greatest thing since sliced bread (nudge, nudge, wink, wink) then it’s up to your Anti Virus to catch this (and your common sense).
I’ve heard of web sites poking at your router (common 191.168.0.1) and I know Tor has limited noscript so would it allow 127.0.0.1/yourlocalwebserver?
I can’t say a definite no. Someone here should have an answer to this.
Now the exit node would have a hard time inserting something into the response from a https server.
This is more up to the browser and its cross-site protections. A remote site can do anything over tor on your local browser that any other web site can do. Cross site protections tend to limit this greatly, but it’s not a function of tor.
No. Even if you yourself enter a localhost address, Tor Browser shows this page:
Unable to connect
The connection was refused when attempting to contact 127.0.0.1:8080.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Tor Browser is permitted to access the web.
There’s an about:config setting in Tor Browser which prevents it.