[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] Re: #1579 [Tor-Torbutton]: ETag and If-None-Match header can link multiple requests to the same page

To: undisclosed-recipients:;
Subject: [tor-bugs] Re: #1579 [Tor-Torbutton]: ETag and If-None-Match header can link multiple requests to the same page
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Tue, 22 Jun 2010 00:30:22 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-bugs-outgoing@xxxxxxxx
Delivered-to: tor-bugs@xxxxxxxxxxxxxx
Delivery-date: Mon, 21 Jun 2010 20:30:43 -0400
In-reply-to: <043.119b490c1b323e4c1a7ae2aa083c2820@xxxxxxxxxxxxxx>
References: <043.119b490c1b323e4c1a7ae2aa083c2820@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: owner-tor-bugs@xxxxxxxxxxxxxx

#1579: ETag and If-None-Match header can link multiple requests to the same page
----------------------------+-----------------------------------------------
  Reporter:  bee            |       Owner:  mikeperry
      Type:  enhancement    |      Status:  closed   
  Priority:  minor          |   Milestone:           
 Component:  Tor-Torbutton  |     Version:           
Resolution:  duplicate      |    Keywords:           
    Parent:                 |  
----------------------------+-----------------------------------------------

Comment(by bee):

 You compare this bug with setting a cookie!!! Well, it's right!!! or
 almost!!!!
 For sure, you can toggle the button or change the "Block Disk and Memory
 Cache during Tor" radiobutton!!! And, it's also true that you may as well
 inject one cookie and hope for it to being saved into the cookies
 jar!!!!!!!!! rather than using the ETags!!!!
 But, you may also use an http proxy to strip HTTP headers!!! it's possible
 to stay safe from cookies and others http headers, in plenty of ways!!!!
 they're just not always common or easy!!!!
 TorProject's Browser Bundles are unsafe by definition!!!
 Cookies are enabled!! Javascripts are enabled, though with limitations,
 and of course also the "Block Disk and Memory Cache during Tor" option is
 off!!!! Only plugins are disabled!!!!

 So, the ETag header is something that goes through TorButton as well!!!!!!
 And, it's much less noticeable than cookies!!!!!
 Yeah, i know that "about:cache" could work, but there isn't a tool like
 the internal cookie manager of FireFox made to quickly look at the stored
 etags!!!!!!

 Surely, it's possible to defeat this attack, in a way which is turned off
 and absolutely disabled by default!!!!!!! (which make sense if you even
 keep cookies enabled!!!!!!!! which is what you can expect from
 TorProject's standards!!!!!)

 bye!!!!!!!!
 ~bee!!!!!!

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1579#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

References:
- [tor-bugs] #1579 [Tor-Torbutton]: Tracking users
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] Re: #523 [Tor-Torbutton]: New Identity Button and Timer (was: New Identity Button)
Next by Author: [tor-bugs] #1582 [EFF-HTTPS Everywhere]: Excess of trailing /s
Previous by thread: [tor-bugs] Re: #1579 [Tor-Torbutton]: ETag and If-None-Match header can link multiple requests to the same page
Next by thread: [tor-bugs] Re: #1579 [Tor-Torbutton]: ETag and If-None-Match header can link multiple requests to the same page
Index(es):
- Author
- Thread