[tor-bugs] #2640 [Torbutton]: Make tor:// urls safe

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Mar 1 08:20:54 UTC 2011


#2640: Make tor:// urls safe
-------------------------+--------------------------------------------------
 Reporter:  mikeperry    |          Owner:  mikeperry
     Type:  enhancement  |         Status:  new      
 Priority:  major        |      Milestone:           
Component:  Torbutton    |        Version:           
 Keywords:               |         Parent:           
   Points:  Infinite     |   Actualpoints:           
-------------------------+--------------------------------------------------
 tor:// urls are not safe. It is currently possible to cause Torbutton to
 recognize any arbitrary content element with tor:// url and ask the user
 if they want to toggle into tor. There appears to be no way to use the
 Firefox APIs to determine if such a load was actually due to the url bar.
 The Protocol handlers that listen for tor:// are actually called before
 any listeners involving the url bar are called, and accessing the url bar
 itself appears to return the previous URL, at least in FF 3.x.

 By default, Torbutton still asks the user if they want to toggle, but even
 this question can be used as a timing attack to determine that Torbutton
 is installed, which violates our security requirements:
 https://www.torproject.org/torbutton/en/design/#requirements

 Credit to discovering this goes to "egypt" of the metasploit team:
 https://twitter.com/egyp7/status/26023995288

 Until either the APIs improve, or we find a side channel inside Firefox
 that allows us to fix this and observe the URL bar contents and block non-
 urlbar requests automatically, we need to leave tor:// urls off by
 default.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2640>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list