[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: HTML5 deanonymization attacks



Thus spake Marco Bonetti (marco.bonetti@xxxxxxxxxxxx):

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mike Perry wrote:
> > Do you have the test cases for the offline application protocol
> > handler registration? I'm curious if Torbutton will still block them
> > from bypassing the proxy or delaying themselves from running until
> > post-toggle, even if you click to allow the application to run. I
> > think it should still be blocked from doing anything terrible, but it
> > would be nice to know for sure.
> I can do some tests on protocol handler and not-Tor friendly protocols
> like ftp, TorButton is doing a great job here with the big ugly warning
> but, as told at the talk, who cares about big ugly warning nowadays? ;-)

Yes, exactly. It would be nice to know if it is blocked even if you
click through the warning and accept it. That warning is actually for
blocking real external apps, not html pages registered as apps. The
html pages should still be blocked by other means, and if they are
not, I would like to at least investigate with a good test case to see
why not.

> > In general, it would be really nice if we could have all your test
> > cases online so I can link them from the Torbutton Design Document, as
> > we have done with other research like yours. The hope is that one day
> > someone will consolidate all them into a good browser anonymity and
> > privacy validation framework (decloak.net and deanonymizer.com are
> > great starts, but still aren't totally complete).
> I'm hosting them at my home machine right now, I've already contacted H.
> D. Moore about an inclusion into his decloak.net suite but, you know,
> he's pretty busy right now with the framework release. I can pack up
> every file in a tarball and offer it from slackware.it.

Yeah, and/or just a directory with the individual html files too.
Ideally it would be something I can link from the Design Document and
then click on individual tests to run them right there, for when I
make changes to Torbutton that may cause regressions.

> > Also, I'm curious about your comments about the differences in
> > implementation of video, audio and source tags in Firefox 3.6b.
> I only take a super fast look at Firefox 3.6b as it was released too
> close to the conference :D
> There's the fullscreen video support and... dunno, maybe the new css
> fonts support may be interesting. The only thing I double checked was
> the poster attribute support.

Ok.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpPpoWt8dAxM.pgp
Description: PGP signature