[tor-bugs] #16871 [Tor]: Tor fails at Content Security Policy (CSP)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Aug 21 07:58:20 UTC 2015


#16871: Tor fails at Content Security Policy (CSP)
--------------------+---------------------
 Reporter:  HaronP  |          Owner:
     Type:  defect  |         Status:  new
 Priority:  normal  |      Milestone:
Component:  Tor     |        Version:
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
--------------------+---------------------
 Why can't Tor implement something like [https://developer.mozilla.org/en-
 US/docs/Web/Security/CSP/CSP_policy_directives#Keywords Content Security
 Policy] ([http://www.w3.org/TR/2015/CR-CSP2-20150721/ CSP]) and make it
 possible to stop all injected scripts - even when NoScript allows scripts
 globally - that can deanonymize users.

 It is known that a lot of people allow scripts globally in NoScript,
 because most sites break without javascript, but because of browser
 vulnerabilities, javascript allows unauthorized users to exploit visitors
 and deanonymize them.

 Some CSP settings will allow only specific scripts. A '''script-src
 'none'''' CSP setting can prevent all javascripts on the webpages that
 enable this setting, even without NoScript. I think this should be the
 default setting for Tor Hidden Services, because they are constantly the
 target of unauthorized users that try break into the servers of Tor Hidden
 Services to inject javascript that exploits visitors browsers and breaks
 their anonymity.

 Looking at other attack factors, I think, it would even be better, if Tor
 would have a whitelisted script database lookup for each Tor Hidden
 Services, even before connecting to the Tor Hidden Services. At this
 database, javascript disallow settings should be defined and signed with a
 private key. Whitelisted scripts should be hashed using a hash algorithm
 that is collision resilient enough for years to come and signed with the
 private key as well. The private key should never be stored on the server.
 So, even when the unauthorised users get access to the physical servers
 and change whatever setting they wanted to on that server, even if they
 try to trick users into disabling !NoScript, no scripts will the executed
 on the client side and the visitors won't lose their anonymity, because of
 an injected javascript on a breached Tor Hidden Service website.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16871>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list