[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: HTML5 deanonymization attacks



Thus spake Marco Bonetti (marco.bonetti@xxxxxxxxxxxx):

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello list,
> DeepSec 2009 is on, this morning I gave the talk on new HTML5 features
> and how do they affect Tor browsing, if you're interested in the
> presentation with some sample code for the attacks go to
> http://sid77.slackware.it/.
> And keep browsing with Firefox+TorButton ;-)

Hey Marco, thanks for this!

I have a couple of quick questions and a comment:

Do you have the test cases for the offline application protocol
handler registration? I'm curious if Torbutton will still block them
from bypassing the proxy or delaying themselves from running until
post-toggle, even if you click to allow the application to run. I
think it should still be blocked from doing anything terrible, but it
would be nice to know for sure.

In general, it would be really nice if we could have all your test
cases online so I can link them from the Torbutton Design Document, as
we have done with other research like yours. The hope is that one day
someone will consolidate all them into a good browser anonymity and
privacy validation framework (decloak.net and deanonymizer.com are
great starts, but still aren't totally complete).

Also, I'm curious about your comments about the differences in
implementation of video, audio and source tags in Firefox 3.6b.


And finally the comment: Torbutton 1.2.3 will address the geolocation
issue and a few others in Firefox 3.5. I am closing out bugs in
flyspray preparing for a release hopefully this weekend.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpXphCNO7eiY.pgp
Description: PGP signature