[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
From: Aymeric Vitte <vitteaymeric@xxxxxxxxx>
Date: Fri, 20 Jun 2014 11:22:58 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 20 Jun 2014 05:27:45 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=7RfYPzua7bjxXrRzb1CA7rR+2hEdbamfK3L+Fx32QPg=; b=RjI9D6fIDY02oLKwUIa0yONHBKkKkpVrsPHOrrcWY3J4lbWPg7S2djiS4rvMLDn0yS eFkVAOM23UxfKiTnl0+i5uQUZJFg090ANTtpC8mEW9PomcWaR+vYhoyjHmiYMDdyyNRp FiJpLbJyvpVEdPwoFsjJA5/wpNnHWoHmaKlck5E1qyvfkAbcnPrrL6Ky+Kv13fLkDqoO HjGVTyft9p7pptqr0jk6YZ/INdOdgqi1M0z9LfjHjqHJzK40Y869d9+jOOq3H5m9DTSG bTDnQ60pZtBP4WMQVlFrsP2IN2OS3ouuRrpnn1ZEQkJMcNXpGI4jmn+Srv5T1x0MqlSu 8xFA==
In-reply-to: <53A3F457.6020309@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <53A30C94.1080506@xxxxxxx> <53A33139.7050405@xxxxxxxxxxxxxx> <53A3634D.4010101@xxxxxxxxx> <53A3F457.6020309@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.3; rv:24.0) Gecko/20100101 Thunderbird/24.6.0


Le 20/06/2014 10:44, Georg Koppen a écrit :

Aymeric Vitte:

That's really strange, why don't you just disable it like cookies,
indexedDB, etc?

Cookies are not disabled in Tor Browser (only third party cookies). And,
oh, there is this fun bug in Firefox:

https://bugzilla.mozilla.org/show_bug.cgi?id=536509

http://scarybeastsecurity.blogspot.com/2009/12/bypassing-intent-of-blocking-third.html

Georg

So the logic is: we accept non third party cookies, therefore we acceptlocalStorage and we suppose localStorage is disabled for third parties.

The problem is that if you block all cookies (like a Tor user should bedoing visiting sites like yt), the localStorage remains available andbypasses cookies blocking, if you take yt, you can see things floatingin localStorage like yt-remote-device-id {id, creation_date,expire=creation_date+1 year}, even if ephemeral (from your design) itpersists until you close your browser

And what's the point of allowing localStorage if you allow non thirdparty cookies?

There are bugs and unclear behavior of what happens in the main page orin iframes, that's usual, everybody knows thhis, unclear behaviorbetween different options settings, and unclear behavior of blockingoptions when they exist.

Your examples are the perfect illustration of this, I think at least theusers should be clearly aware of the risks and have the option to blockeverything.

As I mentioned previously any type of local storage is much moredangerous than the usual cookie-like uses, even if we should disregardthe cases where you are hacking yourself, we can not ignore the factthat your local storage can be easily accessed by someone else if yougive him a chance

I am waiting to read your design document but from my standpoint in theframe of the Tor Browser it should be clearly blocked.


--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
  - From: Georg Koppen

References:
- [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
  - From: Joe Btfsplk
- Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
  - From: Georg Koppen
- Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
  - From: Aymeric Vitte
- Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
  - From: Georg Koppen

Prev by Author: Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
Next by Author: Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
Previous by thread: Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
Next by thread: Re: [tor-talk] Should DOM storage really be enabled by default in TorBrowser?
Index(es):
- Author
- Thread