[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] browser fingerprinting

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] browser fingerprinting
From: Aymeric Vitte <vitteaymeric@xxxxxxxxx>
Date: Tue, 15 Apr 2014 00:47:21 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 14 Apr 2014 18:56:50 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=yYhMMcnRL1YrAQ915jlO09C+/wY/XNbn0ZGnQ5otwf0=; b=jgtzSnqL7c6+SKj4NlVmnXtgiPQ4OIzwXhMoJtzIEVzDLjbeq4f1P/kTx6ANHgKuRK HWXKSug+CFh+YUa3Xk2AFRCzHqUhgPr473vJF6wmNJJzrJs+i3il4NI7EEX7El2Z6coc 6uGQ5We4LebHcjhzz34bugsox0e4wfNv5LQhgNjU23KiFNrnVaqGVTEwRzph/cNHnKma NIS5htMt3wXwB5LCrLU7u8iSSRrN3TfS+/oVzPQqdNI1nxcfIcbAbTeV9BM+qN88q899 +icj6j5M6kiL9AJcke0QE9yNth0KUnIZoDfF8owdpbSbG4yHfaCTOXYJHjn3SfFbbjGB DRZg==
In-reply-to: <20140414184322.GU22584@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAEvNM8m0g6EeKKUe0OweqJ0JDV62s9y6XhATD2QjsvgwUJVM5w@xxxxxxxxxxxxxx> <534BE6D2.509@xxxxxxxxxx> <CAEvNM8ngB9T61bAOKfQCn=cnC4DGt_HpqjQFiBGurOwrN6YYzA@xxxxxxxxxxxxxx> <CAEvNM8mEvr_KF068juTjw_xSxvWqDuDW3asroULksd7g1Mq0=w@xxxxxxxxxxxxxx> <CAEvNM8=6FuFO4hYc5CU+6tYXH84u3Nt1-p3q6wocEQi1tqUDFQ@xxxxxxxxxxxxxx> <CAF04V2nk_yjGZyqygAvz_cJgUOLF1NO8QWatRBKnWKWC2+swXA@xxxxxxxxxxxxxx> <CAPHRpdVHdi8fZXj5-s4Fa518FjDG8GOvAf_EsV+YmTvz3zOx8w@xxxxxxxxxxxxxx> <20140414184322.GU22584@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.0; rv:24.0) Gecko/20100101 Thunderbird/24.4.0

Yes, of course js is not at all the cause of the problems described inthis thread, strange that this very wrong idea is still popular.

JS can not prevent you from hacking yourself if you like which is whatthe links provided here are about.

That's even the contrary, you can not hide js code, whatever obfuscationmeans you are using it's very easy to see what it is doing.

But you can run js code as a standalone app, ie without loading the codefrom the outside and using third parties to check that you have thecorrect one, because loading the code is the only issue about js.

Assuming that js devs are following good practices, if the code issandboxed and you can not access js objects via other means (like DOMnodes) then there is no way you can hack into it.

And for sure js can not access anything on your computer outside of thebrowser's world (ie outside of what you have authorized it to access)

This is what I have tried to explain for this project herehttp://www.peersm.com (Distributed anonymous P2P based on Tor protocolinside browsers, so a js app)


Regards

Aymeric

Le 14/04/2014 20:43, Roger Dingledine a écrit :

On Mon, Apr 14, 2014 at 08:19:11PM +0200, Thomas Asta wrote:

Nils that ia simply untrue. JS accesses the local machine where the briwser
is.
Am 14.04.2014 20:11 schrieb "Nils Kunze" <kunze.nils@xxxxxxxxx>:

As these requests will be sent out via the tor network, this will not leak
your real ip but just the ip of your exit relay, which is known anyways.

Sorry, I suggest you all learn more about javascript and read the
links in question.

There aren't any known ways for JavaScript to learn the client's IP
address locally. Assuming there aren't further browser exploits of
course. And those exploits can be in any part of the browser, not
just JavaScript. Though historically a lot of vulnerabilities have been
in JavaScript.

The links in this thread point to external "what's my IP" sites that
you can ask the client to fetch -- but the fetch will go over Tor,
so it will tell you a Tor exit relay's IP address.

For more info on the Tor side, see
https://trac.torproject.org/projects/tor/ticket/9387
including the line in
https://blog.torproject.org/blog/tor-browser-36-beta-2-released
where we're experimenting with disabling some Javascript implementation
optimizations that have historically been the source of many
vulnerabilities.

and more broadly,
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

And yes, sandboxes and firewalls do seem like a great idea, for tolerating
implementation (and heck, protocol) flaws. I'm glad people are working
on making them both effective and usable. We need more people in the
world working on that.

--Roger


--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] browser fingerprinting
  - From: Randolph
- Re: [tor-talk] browser fingerprinting
  - From: Gerardus Hendricks
- Re: [tor-talk] browser fingerprinting
  - From: Randolph
- Re: [tor-talk] browser fingerprinting
  - From: Randolph
- Re: [tor-talk] browser fingerprinting
  - From: Randolph
- Re: [tor-talk] browser fingerprinting
  - From: Nils Kunze
- Re: [tor-talk] browser fingerprinting
  - From: Thomas Asta
- Re: [tor-talk] browser fingerprinting
  - From: Roger Dingledine

Prev by Author: Re: [tor-talk] Disabling the warning for self signed certificates in Tor Browser
Next by Author: Re: [tor-talk] Programming language for anonymity network
Previous by thread: Re: [tor-talk] browser fingerprinting
Next by thread: [tor-talk] Heartbleed bug / Mainstream information
Index(es):
- Author
- Thread