[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] browser fingerprinting



On Mon, Apr 14, 2014 at 08:19:11PM +0200, Thomas Asta wrote:
> Nils that ia simply untrue. JS accesses the local machine where the briwser
> is.
> Am 14.04.2014 20:11 schrieb "Nils Kunze" <kunze.nils@xxxxxxxxx>:
> 
> > As these requests will be sent out via the tor network, this will not leak
> > your real ip but just the ip of your exit relay, which is known anyways.

Sorry, I suggest you all learn more about javascript and read the
links in question.

There aren't any known ways for JavaScript to learn the client's IP
address locally. Assuming there aren't further browser exploits of
course. And those exploits can be in any part of the browser, not
just JavaScript. Though historically a lot of vulnerabilities have been
in JavaScript.

The links in this thread point to external "what's my IP" sites that
you can ask the client to fetch -- but the fetch will go over Tor,
so it will tell you a Tor exit relay's IP address.

For more info on the Tor side, see
https://trac.torproject.org/projects/tor/ticket/9387
including the line in
https://blog.torproject.org/blog/tor-browser-36-beta-2-released
where we're experimenting with disabling some Javascript implementation
optimizations that have historically been the source of many
vulnerabilities.

and more broadly,
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

And yes, sandboxes and firewalls do seem like a great idea, for tolerating
implementation (and heck, protocol) flaws. I'm glad people are working
on making them both effective and usable. We need more people in the
world working on that.

--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk