On Thu, 28 Oct 2010 20:57:24 -0400 grarpamp <grarpamp@xxxxxxxxx> wrote: > For the users who have checked all the c-s-d checkboxes and reviewed > all the firefox.edit.preferences pages... > > For any given phase/method of browsing/usage, does torbutton clear > any additional state beyond what c-s-d clears? Torbutton clears TLS session resumption information out of the browser, which is not listed in the âClear Recent History...â dialog, when the user toggles between Tor and non-Tor browsing: On Wed, 27 Oct 2010 16:41:57 -0700 Mike Perry <mikeperry@xxxxxxxxxx> wrote: > Thus spake Seth David Schoen (schoen@xxxxxxx): > > > > Hi, > > > I don't understand, too and in my opinion, this is utter nonsense. I'm > > > not aware of any negative impacts on privacy due to the usage of > > > https://, > > > > Session resumption can be used to recognize an individual browser > > that connects from different IP addresses, or even over Tor. This > > kind of recognition can be perfect because the resumption involves > > a session key which is large, random, and could not legitimately > > have been known to any other browser. :-( > > This is not true if the user is using Torbutton. See the paragraph > about security.enable_ssl2 in: > https://www.torproject.org/torbutton/en/design/#browseroverlay > > This hack causes us to clear all TLS session ID and resumption state. > It's bloody, but it works. Firefox has also created an official API > for us to do this the "right" way that we will begin using in 1.2.6: > https://trac.torproject.org/projects/tor/ticket/1624 > Particularly with regard to transmittable data [whether remotely or > locally generated], as opposed to non-transmittable data that is merely > cached such as images, etc. The cache can be used to store pieces of HTML, CSS, and JavaScript containing unique identifiers, which can then be transmitted back to a server in various ways (even without JavaScript). Robert Ransom
Attachment:
signature.asc
Description: PGP signature