[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] HTML5 video and Tor anonymity.

Thus spake Tom Ritter (tom@xxxxxxxxx):

> On 1 May 2013 15:29, David Vorick <david.vorick@xxxxxxxxx> wrote:
> > I don't know what I'm talking about, but here goes:
> >
> > If you were to put flash in a "sandbox" that had a fake IP address, might
> > that make the sandbox incompatible with the tor network? When you are
> > communicating, even over the tor network, your IP address is critical so
> > that servers on the other end know where to send messages. That means that
> > at the very least you have to know your own IP address. If the flash
> > sandbox had a false address, the network might reject communication
> > altogether, or it might simply be unable to return the messages to the
> > right spot.
> >
> > Am I incorrect?
> Well, when anyone from outside the Tor project talks about sandboxing
> flash, they're talking about restricting the system calls it can make,
> restricting it from touching files on disk, spawning processes - real
> sandbox stuff.  That's what Mozilla is after with Shumway.  That's
> what Chrome is/was after with their sandbox.
> Tor is afraid of Flash for three reasons as I see it: it's buggy (see
> my previous sentence), it can read your IP address, and (I believe) it
> can or can be made to make requests that circumvent a configured proxy
> that would leak your external IP to whatever you connect to (assumed
> to be an attacker).  And when I say proxy, you can read "Tor".

There's a fourth reason: Flash can enumerate a separate and more
detailed set of facts about your computer than Javascript can, and we
have many indications that this set of facts is much larger (and thus is
more identifying).

The major one that the EFF found was that not only does flash export a
full list of fonts installed on your computer, it also provides this
list in a machine-dependent order. There are probably quite a few other
surprises like that, too.

Depending on the nature of the sandbox/VM, it may or may not be possible
to address those fingerprinting issues...

This shouldn't discourage anyone from working on a minimalistic flash
sandbox though. Any solution would be better than none, especially since
we already allow people to go into the TBB settings and mash the thing
on if they really want..

I believe we even have an upstream deliverable for a flash sandbox.. Not
my area of personal expertise or interest, though. I'm with Steve Jobs
on this one: kill that fucker until it is dead.

Mike Perry

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list