[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: HTML5 deanonymization attacks

To: or-talk@xxxxxxxxxxxxx
Subject: Re: HTML5 deanonymization attacks
From: Marco Bonetti <marco.bonetti@xxxxxxxxxxxx>
Date: Fri, 20 Nov 2009 09:32:21 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 20 Nov 2009 03:32:38 -0500
In-reply-to: <e692861c0911191205s757bddf8h4b9bf9e47646e0be@xxxxxxxxxxxxxx>
References: <4B057C10.6060301@xxxxxxxxxxxx> <e692861c0911191205s757bddf8h4b9bf9e47646e0be@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.23 (X11/20090820)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gregory Maxwell wrote:
> It's not clear from the slides exactly how the video tags are supposed
> to be bypassing tor. Is this saying that the poster attribute bypasses
> the proxy settings?  It doesn't appear to do so here for me in
> Firefox.
Firefox 3.5 does NOT support the poster attribute: this is what I wrote
in the slides as "safe by broken implementation".

The overall idea is to open a side channel via ftp, hoping the browser
will ignore the HTTP proxy as it is not supposed to be able to proxy
that protocol. As I told here some times ago
(http://archives.seul.org/or/talk/Jul-2009/msg00002.html) if you stick
with Firefox and TorButton you're safe. And, well, outside this mailing
list it's not that obvious as it seems: I enjoy giving talks here in
Italy on how Tor works and on how you should use it and there're too
many people asking if they're safe using e.g. Firefox and Foxy Proxy or
any other browser.

ciao

- --
Marco Bonetti
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/

My GnuPG key id: 0x0B60BC5F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksGVBUACgkQTYvJ9gtgvF+CxACeP+Ei6NPZ6rMKybJkFFwR6Q7K
sMoAninCko7ElNJ3Ri3QpcIvgP2YSt+k
=jMwx
-----END PGP SIGNATURE-----
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

References:
- HTML5 deanonymization attacks
  - From: Marco Bonetti
- Re: HTML5 deanonymization attacks
  - From: Gregory Maxwell

Prev by Author: Re: HTML5 deanonymization attacks
Next by Author: Re: TLS Man-In-The-Middle Vulnerability
Previous by thread: Re: HTML5 deanonymization attacks
Next by thread: Re: HTML5 deanonymization attacks
Index(es):
- Author
- Thread