[tor-bugs] #1999 [Torbutton]: tor: URL support may allow attacks on Torbutton
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Oct 2 21:46:18 UTC 2010
#1999: tor: URL support may allow attacks on Torbutton
-----------------------+----------------------------------------------------
Reporter: rransom | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone: Torbutton: 1.3
Component: Torbutton | Version: Torbutton: 1.3
Keywords: | Parent:
-----------------------+----------------------------------------------------
[https://twitter.com/egyp7/status/26023995288]
Mike Perry thinks this tweet is about the possibility that a web site
could detect the presence of Torbutton by putting a tor: URL in an IFRAME
and measuring how long Firefox takes to report a page-not-found error --
if Torbutton is not installed, it fails immediately; if Torbutton is
installed, it waits until the user responds to a pop-up dialog, and then
either fails the load attempt or switches into Tor mode and loads the URL.
The warning dialogs might also allow a DoS attack on Torbutton users --
JavaScript can repeatedly add IMG tags to a page with tor: source URLs,
and the repeated popups will make a user's browser unusable.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1999>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list