[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Torbutton Documentation - Adversary Capabilities.

Thus spake Matthew (pumpkin@xxxxxxxxx):

>  So to go back to the OP's question (my question)....what do people think 
> of my questions about JavaScript being able to obtain non-Tor IPs when 
> wiping the cache?

If you are also restarting the browser, or closing all windows, you
are probably safe from most direct javascript attack vectors. The main
danger is in leaving pages open after changing proxy settings. Then
direct unmasking is possible. Identifiers can be stored in the page
javascript itself.

However, Javascript still has quite a bit of ability to fingerprint you
based on your desktop resolution, user agent, timezone, any many other
things. Torbutton does a good job of blocking a lot of the
fingerprintable attributes, which make it hard to correlate your
non-tor browser fingerprint to your tor browser fingerprint. More work
still needs to be done here, but we do handle quite a bit of the major
fingerprinting sources.

See also: https://wiki.mozilla.org/Fingerprinting

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpCkrHr7ZqZf.pgp
Description: PGP signature