[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Webpage autorefresh weakens onion routing



On Tue, Jul 02, 2013 at 06:45:24PM -0700, Mark Yaler wrote:
> Let's say you open webpage X, which automatically refreshes every
>minute. But the user doesn't immediately realize this problem.

Variations of this attack are in various research papers, e.g.
http://freehaven.net/anonbib/#tissec-latency-leak
See also
http://freehaven.net/anonbib/#abbott-pet2007

> The user also wishes to read webpage Y. However, this user realizes
>that opening both X and Y would allow his identity to be compromised,
>or at least significantly narrowed in probability. So the user realizes
>that he needs to refresh his Tor identity between accessing pages X and
>Y. So he does this.

Assuming he clicks 'new identity' in Torbutton, it will flush all his
browser state. There will be no more page X open.

> Then he accesses webpage Y. Unfortunately, due to the autorefresh
>HTML code on webpage X, which suddenly occurs, there is now evidence
>(in the clear) of the same IP address accessing both X and Y within a
>short time window, thereby weakening his anonymity.

Yep. That's why the Tor Browser doesn't allow this.
https://www.torproject.org/projects/torbrowser/design/#new-identity

> My point is, why not do that by default?

It's a tradeoff between usability and security. I think we'd end up
breaking a lot of pages if we disabled all refreshes.

--Roger

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk