[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New HTTP authorization attack



Thus spake tor@xxxxxxxxxxxxxxxxxx (tor@xxxxxxxxxxxxxxxxxx):

> > For the general TBB solution, see:
> > https://trac.torproject.org/projects/tor/ticket/3508
> > 
> > It is in 1.4.0.
> 
> Neat. I was unaware of the SafeCache addon.
> 
> > As I said in the blog posts, I intend to isolate all browser state to
> > urlbar domain, and/or disable whatever features aren't amenable to
> > this. So far this means that 3rd party cookies must be disabled and DOM
> > storage must be disabled. 
> > 
> > HTTP auth can be isolated similarly to cache. See: 
> > https://trac.torproject.org/projects/tor/ticket/3748
> 
> Would be great if you achieved that.

Depending on how things go, we may or may not isolate HTTP auth to a                                                             
urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for
TBB 2.2.x-stable:
https://trac.torproject.org/projects/tor/ticket/3748

> > SSL certificates are not isolated. They might never be. The SSL stack
> > is a nightmare.
> 
> That's a shame. I'm seeing more and more sites enabling https.

Yes, but I don't think the tracking potential is as high there as it
is for explicit identifiers, except where they can trick the user into
installing a client certificate.

If the adversary does trick the user to install weird certificates,
these are only stored in memory in TBB, and will be gone after a
browser restart.

So it is not as bad as cache, cookies, DOM storage, and auth.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpCD3lqCwvJ5.pgp
Description: PGP signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk