[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: A warning to proxy writers

On 4/21/05, Chris Palmer <chris@xxxxxxx> wrote:
> Adam Langley writes:
> What are some means of reducing this problem?
> * A tweaked JavaScript implementation that responds with different
>   information

Good but very difficult. Maybe possible with Firefox plugins, but I've
no knowledge of that. Getting it to work with IE, I would expect, is
more difficult still.

> * A JavaScript information that is more configurable (configuration is
>   bad, though)
> * Disable JavaScript completely; or make JavaScript act like pop-up
>   window control does in Firefox: "This page tried to use JavaScript.
>   Click here to allow this..."

Again, difficult to do for each browser. It would be possible for the
proxy to strip all Javascript, but that would break many webpages,
thus reducing the utility of Tor, thus reducing the number of users
... etc

Of course, this information can only be used if it can get back to the
server. But there are many vectors for that of which XMLHTTPRequest is
just the most obvious. Links in the webpage could be rewritten,
special images fetched etc.

I would consider that such information leakage is unavoidable lest the
proxy break many webpages. It's something that we may have to live
with. (But leaking the user's IP via ftp:// links is not something
that we need accept.)

> Ugg, yes. This reminds me that John Gilmore has been talking about a
> firewall setup that automatically routes TCP circuits through the local
> Tor client before they are allowed out of the machine. Getting this to
> work cross-platform would be "fun" (write a firewall config for all
> major platforms that somehow does not interfere with any other
> pre-existing firewall configuration...). The upshot would be that you
> wouldn't have to configure *any* application to use Tor; it just would.

Certainly in interesting idea. Maybe time to break out the iptables


Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60