[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Privacy Badger



Garrett Robinson:
> On 8/28/15 7:01 PM, Mike Perry wrote:
> > sg.info@xxxxxxxxxxxxxxxxxxx:
> >> Hi guys and girls,
> >> are there security issues using the privacy badger from eff.org with the tor browser ? 
> >> Or: Is there are a need to use privacy badger or is this utility dispensable ?
> > 
> > The filters in use by Privacy Badger are fingerprintable - it is
> > possible for sites to determine that you have it installed.
> 
> Since Privacy Badger uses a learning heuristic based on the sites you
> visit, it actually might possible for it to leak information about your
> browsing history too.

Yikes! I didn't know this. This is especially bad, especially if Privacy
Badger has custom storage mechanisms for this that aren't cleared
regularly (which you touch on below). It may also result in browsing
history leaking to disk, which wouldn't normally happen in the default
Tor Browser.

I'm now actually curious if these types of filter addons aren't already
being exploited for these and related weaknesses/shortcomings.

If any academics are interested in a good publication (Gunes Acar - are
you listening? :), it would be *very* interesting to run a crawl to see
if any websites have begun to behave adversarially against addons like
Adblock, Privacy Badger, Ghostery, etc. After all, it is easy for sites
to determine if an adblocker has blocked an ad load, and then proceed to
load an ad from an alternate URL, domain name, or even another ad
network that may not be covered by the default filters.

This may not be likely for less popular addons such as Privacy Badger
yet, but for extremely popular adblockers such as AdBlock, I bet this
behavior is already happening somewhere in the wild right now.

> In general, does Tor Browser persist the state saved by extensions
> across restarts, or is that wiped along with the history and cookies and
> everything else?

Because of the current privilege level and capabilities of extensions
(basically the same as the browser C++ code), we cannot ensure that
extensions are well behaved in this way.

However, when the user clicks "New Identity" in the Torbutton menu, we
do emit "browser:purge-session-history", "last-pb-context-exited", and
clear all cookies (which emits another event that triggers various bits
of the browser to clear state, according to spec). We also manually
clear a bunch of related state in the browser:
https://www.torproject.org/projects/torbrowser/design/#new-identity

Firefox extensions are encouraged to obey these events to clear their
stored state, but this is only by convention[1]. Many do not do this.
In fact, a while ago we found issues with NoScript where it was storing
state in prefs that got written to disk, and were not reset by these
events.


As for session restarts, that is enforced only by preventing the browser
from storing disk records on a per-mechanism basis:
https://www.torproject.org/projects/torbrowser/design/#disk-avoidance

Again, because of their full privilege level and capabilities, addons
can store their own state however they wish. Custom/ad-hoc storage
mechanisms (such as using special preference names as value storage, or
writing raw data to files on disk) will not be covered by our changes.


I'm now curious about how Privacy Badger stores its state...


1. https://developer.mozilla.org/EN/docs/Supporting_per-window_private_browsing

-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk