[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?

Subject: Re: [tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 22 Jan 2014 16:16:26 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 22 Jan 2014 11:16:27 -0500
In-reply-to: <049.e964d1a87913ebd0ef85238f2e796a32@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.e964d1a87913ebd0ef85238f2e796a32@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#10419: Can requests to 127.0.0.1 be used to fingerprint the browser?
--------------------------------------+--------------------------------
     Reporter:  mikeperry             |      Owner:  mikeperry
         Type:  task                  |     Status:  new
     Priority:  major                 |  Milestone:
    Component:  Firefox Patch Issues  |    Version:
   Resolution:                        |   Keywords:  tbb-fingerprinting
Actual Points:                        |  Parent ID:
       Points:                        |
--------------------------------------+--------------------------------

Comment (by oc):

 Replying to [comment:9 gk]:
 > Where is the breach, exactly? The design document says:
 > {{{
 > The browser MUST NOT bypass Tor proxy settings for any content.
 > }}}
 As I understand it, the idea behind "proxy obedience" is that ''all'' TBB
 generated traffic (DNS, HTTP, whatever) must go through Tor: nothing must
 be leaked. It is not (only) about verifying the socks proxy honors its
 settings.
 As it is, according to users reports TBB does not leak on FreeBSD, but
 leaks on Linux (127.0.0.1) and Windows (LAN). Anyone can check this with
 the above mentioned test page -- further reports are welcome.
 If these reports are right:
 * A remote server can discover what platform TBB is running on with at
 most two JS-embedded XHRs.
 * If there is a local web server with liberal CORS policies, the remote
 server can browse it and exfiltrate its data.
 * When XHRs fail because of CORS, it can be circumvented using other
 resources: successfully retrieving an <img src=http://127.0.0.1:631/images
 /cups-icon.png> will go around CUPS CORS policies.

 I agree with you however that the security issue is not limited to proxy
 obedience.

 Replying to [comment:9 gk]:
 > And including "127.0.0.1" into "content" does not make any sense here as
 this would imply that TBB users could never access 127.0.0.1 themselves
 Let's take it in reverse: why would anyone use TBB to browse localhost
 exactly?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?
Next by Author: Re: [tor-bugs] #10640 [TorBrowserButton]: Fix about:tor's pointer position for RTL languages
Previous by thread: Re: [tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?
Next by thread: Re: [tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?
Index(es):
- Author
- Thread