Garrett Robinson: > On 8/28/15 7:01 PM, Mike Perry wrote: > > sg.info@xxxxxxxxxxxxxxxxxxx: > >> Hi guys and girls, > >> are there security issues using the privacy badger from eff.org with the tor browser ? > >> Or: Is there are a need to use privacy badger or is this utility dispensable ? > > > > The filters in use by Privacy Badger are fingerprintable - it is > > possible for sites to determine that you have it installed. > > Since Privacy Badger uses a learning heuristic based on the sites you > visit, it actually might possible for it to leak information about your > browsing history too. Yikes! I didn't know this. This is especially bad, especially if Privacy Badger has custom storage mechanisms for this that aren't cleared regularly (which you touch on below). It may also result in browsing history leaking to disk, which wouldn't normally happen in the default Tor Browser. I'm now actually curious if these types of filter addons aren't already being exploited for these and related weaknesses/shortcomings. If any academics are interested in a good publication (Gunes Acar - are you listening? :), it would be *very* interesting to run a crawl to see if any websites have begun to behave adversarially against addons like Adblock, Privacy Badger, Ghostery, etc. After all, it is easy for sites to determine if an adblocker has blocked an ad load, and then proceed to load an ad from an alternate URL, domain name, or even another ad network that may not be covered by the default filters. This may not be likely for less popular addons such as Privacy Badger yet, but for extremely popular adblockers such as AdBlock, I bet this behavior is already happening somewhere in the wild right now. > In general, does Tor Browser persist the state saved by extensions > across restarts, or is that wiped along with the history and cookies and > everything else? Because of the current privilege level and capabilities of extensions (basically the same as the browser C++ code), we cannot ensure that extensions are well behaved in this way. However, when the user clicks "New Identity" in the Torbutton menu, we do emit "browser:purge-session-history", "last-pb-context-exited", and clear all cookies (which emits another event that triggers various bits of the browser to clear state, according to spec). We also manually clear a bunch of related state in the browser: https://www.torproject.org/projects/torbrowser/design/#new-identity Firefox extensions are encouraged to obey these events to clear their stored state, but this is only by convention[1]. Many do not do this. In fact, a while ago we found issues with NoScript where it was storing state in prefs that got written to disk, and were not reset by these events. As for session restarts, that is enforced only by preventing the browser from storing disk records on a per-mechanism basis: https://www.torproject.org/projects/torbrowser/design/#disk-avoidance Again, because of their full privilege level and capabilities, addons can store their own state however they wish. Custom/ad-hoc storage mechanisms (such as using special preference names as value storage, or writing raw data to files on disk) will not be covered by our changes. I'm now curious about how Privacy Badger stores its state... 1. https://developer.mozilla.org/EN/docs/Supporting_per-window_private_browsing -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk