[tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?

Thu Jan 23 18:53:45 UTC 2014

#10419: Can requests to 127.0.0.1 be used to fingerprint the browser?
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  mikeperry
         Type:  task                 |     Status:  needs_review
     Priority:  major                |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-fingerprinting,
   Resolution:                       |  tbb-pref, MikePerry201401R
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------

Comment (by oc):

 Replying to [comment:18 cypherpunks]:
 >
 > That's a strange mix? Only the ruleset from comment 16 is the good one.

 Is it? Sorry, I thought you recommended comments 15 ''and'' 16 rules
 concatenated…
 Note that my question was also: shouldn't 127.0.0.1 be allowed to access
 LOCAL? In other words, what is wrong with localhost CUPS fetching LAN
 resources?
 [[br]]

 > blocking LAN should be redundant. (If it is not redundant because
 somehow Windows TB is able to connect to LAN IPs, that sounds like a
 material for a separate bug ticket.)

 If you get rid of LOCAL rules (comment 15), a webserver on LAN could XHR
 to its WAN address and learn what your Tor exit node is, for example,
 couldn't it?
 [[br]]

 > > * 127.0.0.1 works but localhost does not.
 >
 > As expected, unless localhost is added to
 extensions.torbutton.no_proxies_on. In which case we'd also have to deal
 with localhost resolving to its IPv6 address? Not worth it IMHO.

 TBB does not allow IPv6, or did I miss something?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online