[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New HTTP authorization attack



Thus spake tor@xxxxxxxxxxxxxxxxxx (tor@xxxxxxxxxxxxxxxxxx):

> On 22/08/11 20:08, stringer@xxxxxxxxxxx wrote:
> 
> > "The JonDoFox research team has uncovered a new attack on web 
> > browsers: Affected are the web browsers Firefox, Chrome and Safari. 
> > By a hidden call over of a URL with HTTP authentication data, third 
> > party sites could track a user over several web sites, even if the 
> > user blocks all cookies and other tracking procedures. For doing 
> > this, it is sufficient to include a simple CSS file:
> > <link rel="stylesheet" type="text/css" 
> > "http://Session:638431048@xxxxxxxxxxxx/auth.css.php";>
> 
> FWIW, there are many ways to track a browser cross-site and across
> restarts, even if you have javascript and cookies and flash cookies
> disabled. I recently blogged about a bunch of them which abuse the
> browser cache here:
> 
> https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache

None of this is news.

FYI, Torbutton traditionally handled both HTTP auth and cache through
the toggle feature. I've since realized that the toggle model was
broken, and we've been trying to supplant it in the 2.2.x Tor Browser
Bundles:

https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton
https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

Our first defense for TBB users is the "New Identity" feature, which
will appear in 1.4.1 of Torbutton*:
https://trac.torproject.org/projects/tor/ticket/523

Depending on how things go, we may or may not isolate HTTP auth to a
urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for TBB
2.2.x-stable:
https://trac.torproject.org/projects/tor/ticket/3748


* "New Identity" will only work on Tor Browser Bundles.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpTBQmi2YFvA.pgp
Description: PGP signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk