Thus spake tor@xxxxxxxxxxxxxxxxxx (tor@xxxxxxxxxxxxxxxxxx): > On 23/08/11 05:56, Mike Perry wrote: > > >> FWIW, there are many ways to track a browser cross-site and across > >> restarts, even if you have javascript and cookies and flash cookies > >> disabled. I recently blogged about a bunch of them which abuse the > >> browser cache here: > >> > >> https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache > > > > None of this is news. > > > > FYI, Torbutton traditionally handled both HTTP auth and cache through > > the toggle feature. I've since realized that the toggle model was > > broken, and we've been trying to supplant it in the 2.2.x Tor Browser > > Bundles: > > If you read the article, you'll see that clearing the cache on toggle > isn't enough. The cache should be completely disabled. If not, you could > visit sitea.com, then visit siteb.com, and they could easily figure out > that you're the same person. Even if you're coming from a different Tor > exit node, even if you clear cookies inbetween. That is unless you have > the patience to only visit one site at a time, and toggle off/on between > each different site visit. Did I mention I don't like the toggle model? I thought I did :) I guess you could also argue that "New Identity" is a toggle-ish solution. For the general TBB solution, see: https://trac.torproject.org/projects/tor/ticket/3508 It is in 1.4.0. As I said in the blog posts, I intend to isolate all browser state to urlbar domain, and/or disable whatever features aren't amenable to this. So far this means that 3rd party cookies must be disabled and DOM storage must be disabled. HTTP auth can be isolated similarly to cache. See: https://trac.torproject.org/projects/tor/ticket/3748 SSL certificates are not isolated. They might never be. The SSL stack is a nightmare. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpAfxikPenZF.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk