[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Firefox ctrl-shift-del vs. Torbutton

On Thu, 28 Oct 2010 20:57:24 -0400
grarpamp <grarpamp@xxxxxxxxx> wrote:

> For the users who have checked all the c-s-d checkboxes and reviewed
> all the firefox.edit.preferences pages...
> For any given phase/method of browsing/usage, does torbutton clear
> any additional state beyond what c-s-d clears?

Torbutton clears TLS session resumption information out of the browser,
which is not listed in the âClear Recent History...â dialog, when the
user toggles between Tor and non-Tor browsing:

On Wed, 27 Oct 2010 16:41:57 -0700
Mike Perry <mikeperry@xxxxxxxxxx> wrote:

> Thus spake Seth David Schoen (schoen@xxxxxxx):
> > > Hi,
> > > I don't understand, too and in my opinion, this is utter nonsense. I'm
> > > not aware of any negative impacts on privacy due to the usage of
> > > https://,
> > 
> > Session resumption can be used to recognize an individual browser
> > that connects from different IP addresses, or even over Tor.  This
> > kind of recognition can be perfect because the resumption involves
> > a session key which is large, random, and could not legitimately
> > have been known to any other browser. :-(
> This is not true if the user is using Torbutton. See the paragraph
> about security.enable_ssl2 in:
> https://www.torproject.org/torbutton/en/design/#browseroverlay
> This hack causes us to clear all TLS session ID and resumption state.
> It's bloody, but it works. Firefox has also created an official API
> for us to do this the "right" way that we will begin using in 1.2.6:
> https://trac.torproject.org/projects/tor/ticket/1624

> Particularly with regard to transmittable data [whether remotely or
> locally generated], as opposed to non-transmittable data that is merely
> cached such as images, etc.

The cache can be used to store pieces of HTML, CSS, and JavaScript
containing unique identifiers, which can then be transmitted back to a
server in various ways (even without JavaScript).

Robert Ransom

Attachment: signature.asc
Description: PGP signature