Securing teh Intarwebs (Ultimate Solution ;)

Mike Perry mikepery at fscked.org
Sun Apr 1 03:13:31 UTC 2007


Thus spake Mike Perry (mikepery at fscked.org):

> The goal of this extension is to make javascript as safe as it can be
> to use over Tor, modulo browser vulerabilities (which the FF people
> will actually fix.. They seem to enjoy arbitrary sites being able to
> query their history and search keywords, however.. That is a "feature").

The long-standing firefox bug is:
https://bugzilla.mozilla.org/show_bug.cgi?id=147777

It should be noted that the reason commonly given for not fixing is
that they don't care about specific URLs being queried and would
rather have styles work properly (why not have both? Obviously they
haven't heard the phrase "Ultimate Solution" :). However Billy
Hoffman's talk at shmoocon pointed out that you can query 10s of
thousands of urls per second on a fast machine, more than enough to
troll for permutations of google keyword searches.


This is probably also worth investigating:
http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/

That technique uses CSS to fetch background images for visited links.
Bear in mind that images probably can be encoded with unique IDs by
exit nodes, so this probably is relevant. 

It is posisble to enumerate and edit CSS stylesheets using javascript,
so perhaps this can be eliminated with an additional hook in
jshooks.js as well, but there may be issues with getting an event
handler that fires at the right time. You can find archives of me
harassing the mozilla extensions people about event handlers at:
http://groups.google.com/group/mozilla.dev.extensions/browse_thread/thread/0bad4be7ec5ca99b/5525a6040a5395c8#5525a6040a5395c8


Also, it appears that we also need to hook
document.defaultView.getComputedStyle(link,null).getPropertyValue();
somehow (perhaps by hooking getComputedStyle and clearing all
properties for its return value if it is an "A" tag like I do with
document.getElement*, or possibly by hooking the getPropertyValue
method on the returned object) in order to defeat
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

This technique does not seem to work on FF2.0.0.3:
http://www.gnucitizen.org/projects/hscan-redux/poc.htm


Sorry I don't have time for this stuff right now, it is really
interesting and I wish I could do it. I should have more time in ~1
month (unless I discover one of these to be particularly low hanging
fruit and have some downtime on a train one day).



-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs



More information about the tor-dev mailing list