[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor on OS X, local security questions

Hi list, I was advised to ask questions here.

I have some questions about Tor and hope someone can find the time to answer them, most of these questions pertain to recent versions of the Tor Browser Bundle on OS X.

Question 1: Tor Browser (Firefox) cache/cookies/sqllite databases/site preferences/other FF stuff etc

Where is Tor Browser (Firefox) writing its web cache and cookies to etc. on OS X ?

This is important information, but is not explained anywhere on the Tor website.

This question first concerned me about a month back, but as I understand it now, TBB actually runs in FF Private Browsing mode, so nothing is written to disk at /Applications/Tor Browser_en-US/Library/Application Support/Firefox/Profiles/profile/

or /User/Preferences/ or /User/Application Support/ etc etc

Is this correct ?

Iâm assuming that there isnât other data stored all over the computer that pertains to Tor itself. I seem to remember a few years back Tor put data in somewhere like /var or /private and so on.

Also what about system cache folders like /Users/User/Library/Cache and /Library/Cache/ ?? Is any of the browsing session being left there ?

Question 2:  Question/Comment 3: video/audio content accessed via Tor Browser (HTML5 movies etc.)

I know plug ins are disabled but...

Can HTML 5 video contain embedded URLS/scripts etc ?  Could things like HTML5 video be maliciously crafted to reveal a client machine ? I read recently there was problem with leaks with an Android Tor implementation with HTML5 video.

Also HTML 5 on youtube seemed to load remarkably quickly over a slow connection with Tor Browser. Are we sure HTML 5 video is not bypassing Tor to stream ? (I need to test this myself with tcpdump)

Question 3: TBB accessing instead of requested page

Tor bug or attack ? In an older version of TBB from this year, a couple of times I was trying to reach a website but got instead. (This *hasn't* happened with the latest version)

But this previous version of Tor Browser I was using (downloaded around 6 months ago I think), occasionally connected to localhost on my machine, i.e: would (very occasionally) come up in the address bar when I requested a remote URL in Tor Browser.

This happened to load a generic local page from the web server on my machine (as I have Apache running).

I have no idea how this happened, but it concerned me a lot, and I wondered if this could be an attack to reveal a running web server on the client machine.

Do you have any information about this ? Was this is an old bug in Tor ?

Question 4: Tor Browser becoming focused.

Tor Browser on OS X, suddenly jumps to the front of other applications if it is in the background. At first I thought this might be to do with some auto refresh of an element on an HTML page, but it isnât. Tor Browser does this routinely even when in offline mode. I guess this needs filing on the bug tracker. I haven't really got a question about this, other than why does it do it ? It is a bug.

Question 5: OS X Thumbnails.

I have searched for an answer to this on Apple-related websites, but haven't found an answer yet. Perhaps someone here knows: 

OS X generates thumbnails for saved web pages automatically. It also generates thumbnails for PDFs (and all documents it can).

The question is, how is OS X rendering these thumbnails ? Can/does it pull information FROM the web to generate a thumbnail of a webpage or PDF (if it contains URLS, images or other embedded content from net) you save ? This could be a huge security hole as it would bypass TBB immediately.

I hope this gets answered!

Question 6:

HTML5 Canvas

Using the latest TBB for OS X, a message appeared while surfing about a site requesting HTML CANVAS information. Canvas can be used to fingerprint a computer as I understand it. But as I went to click the option saying âaccept for this siteâ assuming a pop-down menu would appear to present an option âblock for this siteâ or ânever allowâ the message vanished, i.e it gave the go ahead for the Canvas information to be sent. Not good.

I realized afterwards that there is a tiny arrow youâre supposed to click on to get those options, but itâs rather fiddly and smacks of really poor interface design for the particular purpose intended. This interface element from Firefox should be changed with Tor:

HTML Canvas should be defaulted to off and the default pop-up should be âblockâ. This is another bug.

Also if you click Yes by accident does Tor send generic information ?

Question 7:

I read on the Tor blog, that local fonts 'can't be used to fingerprint a client' so we 'don't need to worry about this anymore' (or words to that effect). There was no qualification or explanation given about this statement. How do we know a list of loaded fonts can't be used to fingerprint a machine ? Seems likely they can.

Thanks Gary
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to