Securing teh Intarwebs (Ultimate Solution ;)
mikepery at fscked.org
Sun Apr 1 00:21:35 UTC 2007
Thus spake Mike Perry (mikepery at fscked.org):
> 1. It turns off browser plugins when you click a button in the statusbar,
> and also whenever Tor is on.
> 2. It clears your cookies whenever you toggle tor.
> A. The Date() object, which can reveal your timezone
> B. document.getElement* which can be used to probe CSS attributes
> to see if you have visited certain sites or issued certain
> google queries: http://gemal.dk/browserspy/css.html
> C. navigator.oscpu and navigator.platform, two OS revealing strings
> not managed by UserAgentSwitcher.
> 4. It can optionally clear history whenever tor is toggled
> (unfortunately saving non-tor history is not possible yet. Firefox
> DOES have an API to do this, but it is "not implemented").
> KNOWN ISSUES (AKA HELP PLZ!):
> This extension has been tested to work on FF2.0 and FF1.5. FF1.5
> unfortunately lacks a sane TabOpen event, so plugins are not properly
> disabled for new tabs when they open. FF2.0 seems ok.
> I tried the code snippets for FF1.5 for this from
> but I was unable to get it to deliver events just for a tab, and I
> eventually gave up. I am not planning on suppoting FF1.5 ever. If you
> like FF1.5, please submit a patch. It's possible I was just doing
> It might also be nice if someone changed that "J" graphic to a "P" for
> pref (and hooked it up so it actually worked).
UNKNOWN ISSUES (AKA HELP PLZ!):
time to do the research to become one, it doesn't take that long and
is the path to Real Ultimate Power ;), we need to consider if there
Researching techniques on http://gemal.dk/browserspy/ is a good place
to start. http://en.wikipedia.org/wiki/XMLHttpRequest and
http://developer.mozilla.org/en/docs/Gecko_DOM_Reference can't hurt
Obviosuly all sorts of AJAX/XMLHttpRequest stuff can be done by exit
nodes to steal your sessions and such, but they can do that with plain
old cookies anyways. Presumably for anything that matters, you either
use https, disable js, or don't use that site.
Interestingly enough, Tor DOES protect you from JS doing crazy things
like reconfiguring your router and portscanning your intranet (yes,
this CAN be done), since JS will always use proxy settings (modulo
browser vulnerabilities). So hey, we can claim we do in fact provide
some added security! ;)
Mad Computer Scientist
fscked.org evil labs
More information about the tor-dev