[tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 22 16:16:26 UTC 2014 

#10419: Can requests to 127.0.0.1 be used to fingerprint the browser?
--------------------------------------+--------------------------------
     Reporter:  mikeperry             |      Owner:  mikeperry
         Type:  task                  |     Status:  new
     Priority:  major                 |  Milestone:
    Component:  Firefox Patch Issues  |    Version:
   Resolution:                        |   Keywords:  tbb-fingerprinting
Actual Points:                        |  Parent ID:
       Points:                        |
--------------------------------------+--------------------------------

Comment (by oc):

 Replying to [comment:9 gk]:
 > Where is the breach, exactly? The design document says:
 > {{{
 > The browser MUST NOT bypass Tor proxy settings for any content.
 > }}}
 As I understand it, the idea behind "proxy obedience" is that ''all'' TBB
 generated traffic (DNS, HTTP, whatever) must go through Tor: nothing must
 be leaked. It is not (only) about verifying the socks proxy honors its
 settings.
 As it is, according to users reports TBB does not leak on FreeBSD, but
 leaks on Linux (127.0.0.1) and Windows (LAN). Anyone can check this with
 the above mentioned test page -- further reports are welcome.
 If these reports are right:
 * A remote server can discover what platform TBB is running on with at
 most two JS-embedded XHRs.
 * If there is a local web server with liberal CORS policies, the remote
 server can browse it and exfiltrate its data.
 * When XHRs fail because of CORS, it can be circumvented using other
 resources: successfully retrieving an <img src=http://127.0.0.1:631/images
 /cups-icon.png> will go around CUPS CORS policies.

 I agree with you however that the security issue is not limited to proxy
 obedience.

 Replying to [comment:9 gk]:
 > And including "127.0.0.1" into "content" does not make any sense here as
 this would imply that TBB users could never access 127.0.0.1 themselves
 Let's take it in reverse: why would anyone use TBB to browse localhost
 exactly?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list