39C3

When building privacy-sensitive applications, we often rely on proxies like Tor to ensure that no direct connections escape the intended anonymity network. However, verifying that every part of an application reliably goes through the proxy is surprisingly difficult. Even a single syscall escaping the proxy path can quietly deanonymize a user.

SocksTrace is a lightweight proxy-leak detection tool that traces network-related syscalls and validates whether they correctly route through the configured proxy.

In this talk, I’ll show how SocksTrace works under the hood, what kinds of leaks it can catch, and why syscall-level inspection is essential for high-assurance privacy tools. I’ll also walk through real-world findings: during our testing, we identified previously unknown proxy leaks in major browsers including Firefox and Brave, one of which resulted in a confirmed bug bounty. These results highlight how subtle proxy routing mistakes can occur even in widely-used, privacy-oriented software.

Join us for a practical session on auditing network traffic. In this workshop, you will learn how to use SocksTrace to intercept, analyze, and socksify applications.