[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Google's Chrome Web Browser and Tor

To: or-talk@xxxxxxxxxxxxx, "Nick Mathewson" <nickm@xxxxxxxxxxxxx>
Subject: Re: Google's Chrome Web Browser and Tor
From: "Jonathan Addington" <madjon@xxxxxxxxx>
Date: Fri, 5 Sep 2008 10:16:52 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 05 Sep 2008 11:16:59 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=dZIfQn5UMRHcYBWCxAWInx5Yn4PP78KQpfKI47uxT94=; b=pogojhGKFE0NXRzrAGsoRKUStoPKQ+10NhFnwwXKjowpNY7fhm+r39Dc7/KpMHKy/C PS32oZop7XCTx//llVEPU5Yr/92JcWWQhQmYz954rCxY/qJ0V3KigwiQ17qAY4XV8NPy Ak8+nnZo4e7Kz8nQcrk8TDOUF6HS56YdRPbxs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=rNRJxdTkq6XvumLk8tH66LWaMqgNzAwVxUdxTKSNQOhuCIaoPwtWSkOxkOLt63og1Y qIOuyR/ojDXck8uQocI2rFTF2h4e5kqe+COayKF25JdoGe3WyF6H3IM7hcz9ry+Cp/HZ kC5EN02MMI50f4y2VjcANonOJqrpdg/AfZ9rY=
In-reply-to: <20080905150839.GL8901@xxxxxxxxxxxxxx>
References: <21f144250809041520v7d67cc3fu1baec2f490600f79@xxxxxxxxxxxxxx> <20080905150839.GL8901@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Fri, Sep 5, 2008 at 10:08 AM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
>
> On Thu, Sep 04, 2008 at 03:20:34PM -0700, Kyle Williams wrote:
> > Hi all,
> >
> > I've been playing around with Google's new web browser and Tor.  I thought
> > it might be good to share my findings with everyone.
> > After reading Google's privacy policy[1], I for one would not want to use
> > this on a regular basis, if at all.
> >
> > The first bug I tried was an old one I found with Firefox; the NEWS:// URI
> > type.
> > Any link that has a NEWS:// URI will launch Outlook Express and attempt to
> > contact the server in the URL...without using Tor.
> >
> > The second bug I found resulted in local file/folder disclosure.
> > This is very similar to the one I found in Internet Explorer.
> >
> > The third bug I found was with MIME-TYPEs, specifically Windows Media Player
> > supported formats.
> > The BANNER tag can also leak your IP address when the playlist is loaded
> > *IF* WMP is not set to use a proxy.
> > Also, a playlist in WMP can specify protocols that use UDP, hence, no proxy
> > support...no Tor.
> >
> >
> > On the flip-side, it is very cool how each browser tab is it's own process,
> > making several types of attacks much more difficult.
> > However, with an invasive privacy policy, local proxy bypassing, and local
> > files/folders able to be read from your hard drive, I've decided not to use
> > this browser.
> >
> > It just doesn't feel privacy/anonymity friendly to me.
> > Anyone else want to chime in on this?
>
> I dig what I've heard of the Chrome architecture, but it seems clear
> that, like every other consumer browser, it's not suitable for
> anonymous browsing out-of-the-box.  The real question will be how easy
> it is to adapt it to be safe.  Torbutton, for instance, has proven to
> take some pretty extreme hackery to try to shut down all of Firefox's
> interesting leaks.  If it turned out to be (say) an order of magnitude
> easier to extend Chrome to be anonymity-friendly, that would be pretty
> awesome.  We'll see, I guess.
>
> Has anybody looked into Chrome's extension mechanisms?  It would be
> neat to know how hard it would be to address the information leaks
> addressed in, say, https://www.torproject.org/torbutton/design/ .

Is there a particular reason Torbutton or the like isn't just hard
coded into Firefox? Or any reason not to for Chrome?

> yrs,
> --
> Nick
>
>



--
madjon@xxxxxxxxx

Calendar (usually up to date):
http://www.google.com/calendar/embed?src=madjon%40gmail.com&ctz=America/Chicago&pvttk=715ccc706e1e426d956ad8d6f7f9b16a

Follow-Ups:
- Re: Google's Chrome Web Browser and Tor
  - From: Anil Gulecha

References:
- Google's Chrome Web Browser and Tor
  - From: Kyle Williams
- Re: Google's Chrome Web Browser and Tor
  - From: Nick Mathewson

Prev by Author: Re: way too many msgs on this topic
Next by Author: Re: Google's Chrome Web Browser and Tor
Previous by thread: Re: Google's Chrome Web Browser and Tor
Next by thread: Re: Google's Chrome Web Browser and Tor
Index(es):
- Author
- Thread