#10419: Can requests to 127.0.0.1 be used to fingerprint the browser?
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: task | Status: needs_review
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-pref, MikePerry201401R
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by oc):
Replying to [comment:21 mikeperry]:
> It is called the "Tor Browser". I don't think we should really support
things like using it to configure local services, especially at the
expense of excessive complexity, increased vulnerability surface, or
increased fingerprinting.
That's also how I understood proxy obedience being at the top of the
requirements list.
That is why I put it up: if I interpret it correctly, we do not even have
to look for a better/smarter solution than blocking all local non-tor
connections.
Perhaps the design documents should state what is TBB's policy regarding
local non-Tor connections, or do they already?
Replying to [comment:21 mikeperry]:
> The better question is "does CUPS printing work at all if we remove
127.0.0.1 this pref?"
It does work here, with all 127.0.0.1 traffic blocked.
Replying to [comment:16 cypherpunks]:
> Okay, so I did test it *phew* and it turns out that LOCAL only refers to
RFC private addresses ''and not 127.0.0.1''.
On my Linux box:
{{{
Site LOCAL
Deny
}}}
…is enough to block 127.0.0.1 traffic. Is this another platform-specific
behavior?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online