[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Access from a local file
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Access from a local file
- From: Martin Fick <mogulguy@xxxxxxxxx>
- Date: Wed, 17 Feb 2010 11:18:03 -0800 (PST)
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Wed, 17 Feb 2010 14:18:08 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1266434283; bh=mQD8XPATTp3akhTzdYzN6+Fie5Bk8Hr6NOF17ZwGlds=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=lH590ACrC8DlUEeYxmGeHFNp3/UnXk5AYoT34eO0x6NL01DiR8OS/V21VC17xqtAivc56XmkT1NIOlfWbitwVbi1XRz0NCye5W96zTowx9Po3l8iXgqDzj21bBWPjwEb9q+/GEngtmb9/ueoc/EhTIlrYTN+1k1HUlqwU+rGbJ0=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=HU3/O9AbE/ISNEy2n+6FdEnPkAc+a3N3CXZMC6aSQyyksPV0yYwK6ikahGHkbunCV9c5aIRGW81GS88jiiRZpY0Fv/x4zztUaJ+SEaBzz5ANwfKLtbdhtWvIBZrTZWmafkYMvNPQPjl3+rI47ixhtgDhCYFdcDn9iSBhB1wma30=;
- In-reply-to: <b9c1bea738d6c4b8441cff37c4e83463@xxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
--- On Wed, 2/17/10, Jon Cosby <jon@xxxxxxxxxx> wrote:
> I'm referring to links from file:// urls. By default,
> Torbutton blocks this, and has it "recommended."
Ah, you mean the file protocol. Firefox itself tends to have this disabled by default also. One of the reasons is to prevent malicious users from including file:// urls in an external webpage. With file:// urls, a webpage could be designed to test for the existence of local files on your computer. From an anonymity standpoint, if I can run a test that verifies the existence of a specific file on your computer, one that I can prove only you would have on your computer, then I might be able to prove that you loaded my webpage.
I suspect there are also ways potentially execute some local code on your computer by accessing local files (depending on the OS, this might be harder or easier to achieve). If that's the case, perhaps depending on the program, by executing it locally, I might be able to detect this remotely. Maybe the program does something as simple as a DNS lookup that I can sniff and then correlate to you...
And, finally, just because a file is accessed via a file:// url does not mean it is actually accessing a file locally. It is accessing a file via your local file system namespace, but this might be on a remotely mounted drive/share making the remote server able to detect/prove this access, once again, exposing your access of a webpage by at least the owner of the remote server/share.
I suspect that there are many more attacks based on this, that I have only touched the tip of the iceberg... Hope that helps,
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/