[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] New HTTP authorization attack

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] New HTTP authorization attack
From: stringer@xxxxxxxxxxx
Date: Mon, 22 Aug 2011 19:08:20 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 22 Aug 2011 15:08:39 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Jondos claims that they has uncovered a new attack on web browsers:

"The JonDoFox research team has uncovered a new attack on web 
browsers: Affected are the web browsers Firefox, Chrome and Safari. 
By a hidden call over of a URL with HTTP authentication data, third 
party sites could track a user over several web sites, even if the 
user blocks all cookies and other tracking procedures. For doing 
this, it is sufficient to include a simple CSS file:
<link rel="stylesheet" type="text/css" 
"http://Session:638431048@xxxxxxxxxxxx/auth.css.php";>

You will find a demonstration of this technique on the web site ip-
check.info.

JonDoFox now contains an integrated protection against this attack. 
Third party sites may now no longer receive HTTP authentication 
data from the browser"

Here's the info on their blog:
http://anonymous-proxy-servers.net/blog/index.php?/archives/299-
JonDoFox-2.5.3-Provides-protection-against-new-HTTP-authorization-
attack.html&user_language=en


They add this "Authentication" feature to their anonymity test at 
http://ip-check.info. Of course it shows red(danger)for Tor Browser 
Bundle. Is it true danger or it's just a part of their advertising 
campaign?


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] New HTTP authorization attack
  - From: tor

Prev by Author: Re: [tor-talk] presentation about tor and onion routing?
Next by Author: Re: [tor-talk] Pirate Linux
Previous by thread: [tor-talk] Torservers.net Meetups in Dresden (3.9. and 15.10.)
Next by thread: Re: [tor-talk] New HTTP authorization attack
Index(es):
- Author
- Thread