[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Fwd: [guardian-dev] Replicating TorBB/Firefox exploit in Orweb/Webkit?
-------- Original Message --------
Subject: [guardian-dev] Replicating TorBB/Firefox exploit in Orweb/Webkit?
Date: Mon, 05 Aug 2013 12:33:33 -0400
From: Nathan of Guardian <nathan@xxxxxxxxxxxxxxxxxxxx>
To: Guardian Dev <guardian-dev@xxxxxxxxxxxxxxxxxx>
Regarding the Tor security advisory
(https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html),
I've been considering whether this exploit or a similar one could be
used against Orweb, and the underlying Android WebView/Webkit component.
Orweb has Javascript and Cookie support off by default for all sites, so
I expect a Javascript exploit would not work at all. However, if we
enable both (which many users do in order to login to sites with
captchas), could that open Orweb users up to this deanonymization attack?
I hope to replicate this in a test environment shortly, but if anyone
has insight related to Webkit vs Firefox/Gecko in terms of this exploit,
please share.
In addition, if anyone is motivated to do their own independent auditing
of Orweb along these lines, would love to have your help.
Thanks!
+n
_______________________________________________
Guardian-dev mailing list
Post: Guardian-dev@xxxxxxxxxxxxxxxxxx
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To Unsubscribe
Send email to: Guardian-dev-unsubscribe@xxxxxxxxxxxxxxxxxx
Or visit:
https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
You are subscribed as: nathan@xxxxxxxxxxxxxxxxxxxx
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk