[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Webpage autorefresh weakens onion routing
On Tue, Jul 02, 2013 at 06:45:24PM -0700, Mark Yaler wrote:
> Let's say you open webpage X, which automatically refreshes every
>minute. But the user doesn't immediately realize this problem.
Variations of this attack are in various research papers, e.g.
http://freehaven.net/anonbib/#tissec-latency-leak
See also
http://freehaven.net/anonbib/#abbott-pet2007
> The user also wishes to read webpage Y. However, this user realizes
>that opening both X and Y would allow his identity to be compromised,
>or at least significantly narrowed in probability. So the user realizes
>that he needs to refresh his Tor identity between accessing pages X and
>Y. So he does this.
Assuming he clicks 'new identity' in Torbutton, it will flush all his
browser state. There will be no more page X open.
> Then he accesses webpage Y. Unfortunately, due to the autorefresh
>HTML code on webpage X, which suddenly occurs, there is now evidence
>(in the clear) of the same IP address accessing both X and Y within a
>short time window, thereby weakening his anonymity.
Yep. That's why the Tor Browser doesn't allow this.
https://www.torproject.org/projects/torbrowser/design/#new-identity
> My point is, why not do that by default?
It's a tradeoff between usability and security. I think we'd end up
breaking a lot of pages if we disabled all refreshes.
--Roger
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk