[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Flash, Linux and Tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Flash, Linux and Tor
From: Matt Joyce <toradmin@xxxxxxxxxxxxx>
Date: Fri, 12 Oct 2012 11:36:27 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 12 Oct 2012 06:46:37 -0400
In-reply-to: <5bm3FHQUHKRi4JyAGLwfUxjCphaQ77q3@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Organization: N/A
References: <5bm3FHQUHKRi4JyAGLwfUxjCphaQ77q3@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1

On 12/10/12 09:40, Outlaw wrote:

Hi! Let`s say main linux user A is cut off from Internet with iptables,
user B starts Tor. If I run TorBrowser by user A, connect it to Tor
(which is started by B) with socks and turn on flash plugin, is there
any security/anonimity leak in this scheme? Thank you.


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

The issue with flash even doing this is that when using flash you arerunning third party executable code on the system, it can access variousinformation that could compromise your identity from the browser such asthe machines public IP etc. It is also able to make connections toarbitrary servers via at the very least HTTP/HTTPS sure they would beproxied via tor but they can also relay information picked up from thelocal browser.

None of this is even including browser fingerprinting yet which withflash involved is far far easier and more accurate a good resource checkout http://panopticlick.eff.org/ both with and without flash/js enabledand see the difference in the fingerprint-ability of the browser andbear in mind that site uses a fairly basic algorithm to show a point itcould be made even more accurate by someone who actually wanted to do so.

Supercookies in this case referring to the flash LSO variant are anotherproblem that would allow for tracking etc.

So yeah there are a number of ways it could compromise yoursecurity/anonymity, I wouldn't overly recommend it of course while someof the problems are potentially inherent others would require the flashapp to be coded to store data/track the latter could potentially beminimized using a tight whitelist in something like noscript but beaware anything that does run does have the ability. Furtherwhitelisting by URL leaves open the possibility of actively maliciousattacks should the server be compromised and the attacker replace anapplet at a whitelisted URL or were one to be altered in transit forexample.

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Flash, Linux and Tor
  - From: Outlaw

Prev by Author: Re: [tor-talk] Can we come up with a lighter, easier torified client apps ?
Next by Author: Re: [tor-talk] Help with Tor and Flash Player plugin struggle
Previous by thread: [tor-talk] Flash, Linux and Tor
Next by thread: Re: [tor-talk] Flash, Linux and Tor
Index(es):
- Author
- Thread