[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Firefox privacy and Tor Browser
On Sat, Mar 27, 2010 at 12:17 PM, Al MailingList
> Google's safe browsing is just an HTTP request, so I would assume when
> tor is correctly configured it would not be in the clear.
It would be clearly visible to Tor exit nodes, and the "signature" of
such traffic would be clear to a local observer (I elaborate further
> Reference 5 seems to have his tin foil hat on a little tight.
Probably a Tor user. ; )
> I'm not
> quite sure what he's saying, but the google safe browsing updates
> don't send the sites you're visiting, it simple retrieves the list of
> bad sites (more specifically a diff of the bad sites list since your
> last update). So all they can do is track that a particular user is
> updating the local black list periodically.
That's correct, but with each of those requests to update your
browser's blacklist, is sent uniquely identifying information
(including "machineid" and "userid"). This information does not change
over time, and cannot be prevented from being sent -- even in Private
Browsing mode -- unless you unsubscribe from this service in the
preferences. In effect, your browser is periodically phoning home to
Google with a uniquely identifying key that -- and this is the issue
that I think Tor developers should consider closely: -- does not
change across browsing sessions.
To illustrate why I think this is something that concerns Tor, allow
me to elaborate. There has been some discussion regarding identifying
Tor users based on correlating "signatures" of traffic observed
locally versus at exit nodes. Instead of watching website traffic, an
attacker could instead watch intermittent noise. Things like a
specific combination of RSS bookmark auto-updates, or... periodic
blacklist updates. The Google Safe Browsing update traffic occurs in
bursts and periodically, and will therefore have a very unique
signature. Furthermore, the uniquely identifying key sent to Google
unencrypted each time would allow an attacker to cross-reference exit
node traffic and identify a user across sessions.
It may seem far-fetched, but I don't think it's inappropriate to
consider these possibilities.