[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Request for feedback/victims: cfc



On Wed, Mar 23, 2016 at 2:15 AM, Yawning Angel <yawning@xxxxxxxxxxxxxxx> wrote:

> My "proof of concept" tech demo is what I consider good enough for
> use by brave people that aren't me, so I have put up an XPI package
> at: https://people.torproject.org/~yawning/volatile/cfc-20160323/

Very cool!

>  * If archive.is is evil, they can track you across page fetches
>    trivially, because this sort of use case is outside of Tor Browser's
>    current threat model (Yes, CloudFlare/Google can also do the same
>    thing currently, who do you trust more?).

Because CloudFlare presents its captcha page under the target site's
domain name, and the Google ReCAPTCHA iframe is embedded inside that,
Tor Browser is designed to prevent tracking across visits to different
CloudFlared sites. So in that sense the archive.is option allows more
tracking.

One possible solution could be for the extension to replace the HTML
content inside a desired content page (say,
https://imgur.com/some-page.html) with an iframe containing the
archive.is version. The iframe would then be embedded under the
desired first-party domain (e.g., imgur.com instead of archive.is) so
that the page requests and caching are isolated to imgur.com.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev