Thus spake tor@xxxxxxxxxxxxxxxxxx (tor@xxxxxxxxxxxxxxxxxx): > > For the general TBB solution, see: > > https://trac.torproject.org/projects/tor/ticket/3508 > > > > It is in 1.4.0. > > Neat. I was unaware of the SafeCache addon. > > > As I said in the blog posts, I intend to isolate all browser state to > > urlbar domain, and/or disable whatever features aren't amenable to > > this. So far this means that 3rd party cookies must be disabled and DOM > > storage must be disabled. > > > > HTTP auth can be isolated similarly to cache. See: > > https://trac.torproject.org/projects/tor/ticket/3748 > > Would be great if you achieved that. Depending on how things go, we may or may not isolate HTTP auth to a urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for TBB 2.2.x-stable: https://trac.torproject.org/projects/tor/ticket/3748 > > SSL certificates are not isolated. They might never be. The SSL stack > > is a nightmare. > > That's a shame. I'm seeing more and more sites enabling https. Yes, but I don't think the tracking potential is as high there as it is for explicit identifiers, except where they can trick the user into installing a client certificate. If the adversary does trick the user to install weird certificates, these are only stored in memory in TBB, and will be gone after a browser restart. So it is not as bad as cache, cookies, DOM storage, and auth. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpCD3lqCwvJ5.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk