[tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 23 10:14:08 UTC 2014
#10419: Can requests to 127.0.0.1 be used to fingerprint the browser?
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: task | Status: needs_review
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-pref, MikePerry201401R
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by cypherpunks):
(cypherpunks2)
Replying to [comment:14 gk]:
> Replying to [comment:13 mikeperry]:
> > I think that oc is right about not needing to browse localhost from
TBB.
>
> What about configuring CUPS from the browser? At least I am used to it.
Now that ''you'' have said it out loud, I can confess to that, too. ;)
One twist is that a web server running on 127.0.0.1 can serve pages that
include remote resources. Those would be proxied through tor, which on the
one hand might be quite useful, but on the other hand might include
identifying information. (I'm thinking something like http://stats
.mediaserver-vendor.example.com/?hostname=whoops.) It's essentially the
same problem as blindly torifying some off-the-shelf program.
To err on the side of safety, we could use ABE to also block remote
requests from 127.0.0.1. Its language seems to have neither negation nor a
GLOBAL keyword in opposition to LOCAL, but the rules are supposed to be
processed in order. Therefor, this could work:
{{{
# shipped upstream
Site LOCAL
Accept from LOCAL
Deny
# to be added
Site ALL
Deny from LOCAL
Accept
}}}
But it's untested.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list