[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: google gears



Thus spake M (moeedsalam@xxxxxxxxx):

> If one is running a wordpress blog using TOR, will installing Google 
> gears in order to speed up the process compromise anonymity in any way? 
> Will it bypass the proxy settings or anything?

Google Gears has not been fully audited for anonymity, so we don't yet
know the specific answer to this, but the outlook isn't good. Gears
components can store arbitrary data from websites, and the current
Gears implementation does NOT obey "private browsing mode" in either
Firefox or Chrome to conceal gears data. Gears data is also not
cleared when you "clear private data" in either browser.

I believe it does use Firefox's network stack, so proxy settings
should most likely be obeyed.

However, it is possible it can phone home to update its component
cache or to ping your gears websites at any time, regardless of your
current Tor mode.

It is also likely that gears data can be transfered over http as
opposed to https, which would mean that any exit node can spoof google
gears urls and probe your installation for gears data, which may
include authentication information or unique identifiers.

Risky business. I would recommend against it unless you're prepared to
audit it with wireshark first. If you do, please report back!

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpcxr8yxj2VM.pgp
Description: PGP signature