[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Firefox through Tor

Thus spake eric.jung@xxxxxxxxx (eric.jung@xxxxxxxxx):

> >Unique
> >identifiers can be handed to the ad sites that will associate the
> >torrified email account access with the non-torrified ad server
> >access.
> True, but I don't see how this is a result of FoxyProxy. IOW, doesn't
> this problem exist when using Tor exclusively without FoxyProxy?
> >Does XPCOM allow you to solve this problem somehow?
> I'm not sure I fully understand the problem yet (please elaborate),

So the problem is that a motivated adversary can subpoena or simply
ask DoubleClick to hand over their IP/cookie logs. If you are using
Tor for /everything/, then what they get from DoubleClick for that
email address is just a Tor IP, no harm no foul. However, if the user
had set up a filter that only sends *yahoo.com through Tor, then
DoubleClick will have their /real IP/ on file in association with
whatever unique ID yahoo passed for that email address, even though
yahoo's records show only the Tor IP.

See the problem?

> but if you're asking whether XPCOM allows one to use a proxy on/off
> based on a page and all its components (images, css files, js files), the
> answer is yes.

Yes, excellent. That is the property that is needed. If you use that
level of control, you are fine.

Incidentally, the problem above can happen with ftp://, gopher:// and
whatever other protocol the browser might accept, so make sure you are
updating all proxy settings for each page.

Mike Perry
Mad Computer Scientist
fscked.org evil labs