[tbb-bugs] #20019 [Applications/Tor Browser]: Proposal for TOR Browser extension

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 7 23:35:25 UTC 2016

#20019: Proposal for TOR Browser extension
 Reporter:  SECUSO_Kristoffer         |          Owner:  tbb-team
     Type:  enhancement               |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by teor):

 Replying to [comment:3 SECUSO_Kristoffer]:
 > Thanks for your comment!
 > Currently, like you said, PassSec shows a wrong indicator on onion
 sites. We plan to add an additional case to mark these sites as safe.


 > Regarding your second question on the icons: No third party content is
 loaded. All icons/images are included within this add-on. The user's
 choice of any specific icon is therefore not leaked. All computations are
 local, like the different indicators. PassSec checks if there https is
 available on a specific website by sending a request to the site the user
 currently visits. PassSec injects the icons locally based on the analysis
 of the website and the request.

 The random, persistent choice of icon is vulnerable to server probing via
 HTML Canvas, and perhaps other mechanisms.

 If it's made persistent on disk, it's also vulnerable to file
 fingerprinting, allowing forensic analysis to discover the choice of icon
 even if Tor is restarted or "new identity" is chosen.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20019#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list