[tor-bugs] #10419 [Firefox Patch Issues]: Can requests to 127.0.0.1 be used to fingerprint the browser?

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 24 14:04:01 UTC 2014 

#10419: Can requests to 127.0.0.1 be used to fingerprint the browser?
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  mikeperry
         Type:  task                 |     Status:  needs_review
     Priority:  major                |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-fingerprinting,
   Resolution:                       |  tbb-pref, MikePerry201401R
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------

Comment (by oc):

 To further develop the above proposal, we have two class of traffic: Tor
 (WAN) and non-Tor (lo/LAN). Tor anonymity mandates that we burn all
 bridges between these two worlds, otherwise we cannot protect users from
 fingerprinting or other information leakage -- intentional or not.

 When using TBB to browse non-Tor resources (lo/LAN), that is as a regular
 browser, we may not need to enforce anything a regular browser wouldn't:
 if we block such traffic, users will switch to a regular browser and leak
 all the same anyway. It thus seems we could allow "standard" non-Tor
 traffic and live with lo->LAN access.
 Safety issue with LAN->lo access should probably be fixed upstream as Yuri
 advocates: with a general browser-level ban on wider-to-narrower traffic.
 This is not going to happen any time soon: Chrome devs argue
 [https://code.google.com/p/chromium/issues/detail?id=336371#c2 updated W3C
 specs] would be required first; FF devs seem
 [https://bugzilla.mozilla.org/show_bug.cgi?id=962017#c1 happy with CORS]
 only, probably for the same reason. In the meantime, TBB could use default
 ABE rules to enforce it anyway.

 Altogether:
 {{{
 # Block wider-to-narrower access to loopback
 Site 127.0.0.1
 Accept from 127.0.0.1
 Deny

 # Isolate Tor vs non-Tor domains
 # Block WAN -> LAN/lo
 Site LOCAL
 Accept from LOCAL
 Deny
 # Block LAN/lo -> WAN
 Site ALL
 Deny from LOCAL
 Accept
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list