Thus spake tor@xxxxxxxxxxxxxxxxxx (tor@xxxxxxxxxxxxxxxxxx): > On 22/08/11 20:08, stringer@xxxxxxxxxxx wrote: > > > "The JonDoFox research team has uncovered a new attack on web > > browsers: Affected are the web browsers Firefox, Chrome and Safari. > > By a hidden call over of a URL with HTTP authentication data, third > > party sites could track a user over several web sites, even if the > > user blocks all cookies and other tracking procedures. For doing > > this, it is sufficient to include a simple CSS file: > > <link rel="stylesheet" type="text/css" > > "http://Session:638431048@xxxxxxxxxxxx/auth.css.php";> > > FWIW, there are many ways to track a browser cross-site and across > restarts, even if you have javascript and cookies and flash cookies > disabled. I recently blogged about a bunch of them which abuse the > browser cache here: > > https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache None of this is news. FYI, Torbutton traditionally handled both HTTP auth and cache through the toggle feature. I've since realized that the toggle model was broken, and we've been trying to supplant it in the 2.2.x Tor Browser Bundles: https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design Our first defense for TBB users is the "New Identity" feature, which will appear in 1.4.1 of Torbutton*: https://trac.torproject.org/projects/tor/ticket/523 Depending on how things go, we may or may not isolate HTTP auth to a urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for TBB 2.2.x-stable: https://trac.torproject.org/projects/tor/ticket/3748 * "New Identity" will only work on Tor Browser Bundles. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpTBQmi2YFvA.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk