[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: A warning to proxy writers



Adam Langley writes:

> http://www.imperialviolet.org/browser-information.html

What are some means of reducing this problem?

* A tweaked JavaScript implementation that responds with different 
  information
* A JavaScript information that is more configurable (configuration is 
  bad, though)
* Disable JavaScript completely; or make JavaScript act like pop-up 
  window control does in Firefox: "This page tried to use JavaScript. 
  Click here to allow this..."
* ...

> Next, any embeds in the HTML can trigger plugins which have their own
> proxy settings. Realmedia objects will almost certainly start a
> connection to the given server, Flash I don't know about, but I would
> guess so. Flash objects can also be used to store cookies which aren't
> handled via Cookie headers nor the browser.
> 
> If the user doesn't have every protocol proxyied then an image link to
> https:// or ftp:// etc could cause a non-Tor connection.

Ugg, yes. This reminds me that John Gilmore has been talking about a
firewall setup that automatically routes TCP circuits through the local
Tor client before they are allowed out of the machine. Getting this to
work cross-platform would be "fun" (write a firewall config for all
major platforms that somehow does not interfere with any other
pre-existing firewall configuration...). The upshot would be that you 
wouldn't have to configure *any* application to use Tor; it just would.


-- 
http://www.eff.org/about/staff/#chris_palmer

Attachment: pgp71OcA7UYPx.pgp
Description: PGP signature