[tor-bugs] #20019 [Applications/Tor Browser]: Proposal for TOR Browser extension
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Sep 7 23:35:25 UTC 2016
#20019: Proposal for TOR Browser extension
--------------------------------------+-----------------------------------
Reporter: SECUSO_Kristoffer | Owner: tbb-team
Type: enhancement | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by teor):
Replying to [comment:3 SECUSO_Kristoffer]:
> Thanks for your comment!
>
> Currently, like you said, PassSec shows a wrong indicator on onion
sites. We plan to add an additional case to mark these sites as safe.
Thanks!
> Regarding your second question on the icons: No third party content is
loaded. All icons/images are included within this add-on. The user's
choice of any specific icon is therefore not leaked. All computations are
local, like the different indicators. PassSec checks if there https is
available on a specific website by sending a request to the site the user
currently visits. PassSec injects the icons locally based on the analysis
of the website and the request.
The random, persistent choice of icon is vulnerable to server probing via
HTML Canvas, and perhaps other mechanisms.
If it's made persistent on disk, it's also vulnerable to file
fingerprinting, allowing forensic analysis to discover the choice of icon
even if Tor is restarted or "new identity" is chosen.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20019#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list