Securing teh Intarwebs (Ultimate Solution ;)
mikepery at fscked.org
Sat Mar 31 23:04:33 UTC 2007
something pronounced "Zool". I seem to have survived, but it is quite
possible I may turn into a fire breathing demondog at any moment. Hail
The result of this mad vision quest is a new and improved Torbutton.
Based off of TorButton 1.0.4, it has the following additional features:
1. It turns off browser plugins when you click a button in the statusbar,
and also whenever Tor is on.
2. It clears your cookies whenever you toggle tor.
A. The Date() object, which can reveal your timezone
B. document.getElement* which can be used to probe CSS attributes
to see if you have visited certain sites or issued certain
google queries: http://gemal.dk/browserspy/css.html
C. navigator.oscpu and navigator.platform, two OS revealing strings
not managed by UserAgentSwitcher.
4. It can optionally clear history whenever tor is toggled
(unfortunately saving non-tor history is not possible yet. Firefox
DOES have an API to do this, but it is "not implemented").
to use over Tor, modulo browser vulerabilities (which the FF people
will actually fix.. They seem to enjoy arbitrary sites being able to
query their history and search keywords, however.. That is a "feature").
This is ALPHA software. It desperately needs someone to review it and
to try to break it. Especially the Date hooks. Those are complicated,
and feeding Date various malformed strings to parse may cause it to
generate a time with an offset from the actual time that reveals your
timezone, among other issues. I tried my best to guard against these
types of issues, but it could really use another pair of eyes. Or
Additionally, it would be nice if someone could verify that popups,
iframes, frames, and other crazy gimpy windows properly hook Date()
and disable plugins. I tested iframes and frames briefly, but I did
not test popups.
I am not terribly interested in maintaining this extension. Especially
not for the next month or so. However, I will consider fixing serious
bugs involving my hooks of Date(), but likely not in any timely
fashion. If absolutely nothing happens with this after a month, I will
add it to my pile of responsibilities. But I should probably find the
time to pay my utilities first. I'm really hoping Scott will pick up my
changes and continue maintaining this extension.
KNOWN ISSUES (AKA HELP PLZ!):
This extension has been tested to work on FF2.0 and FF1.5. FF1.5
unfortunately lacks a sane TabOpen event, so plugins are not properly
disabled for new tabs when they open. FF2.0 seems ok.
I tried the code snippets for FF1.5 for this from
but I was unable to get it to deliver events just for a tab, and I
eventually gave up. I am not planning on suppoting FF1.5 ever. If you
like FF1.5, please submit a patch. It's possible I was just doing
It might also be nice if someone changed that "J" graphic to a "P" for
pref (and hooked it up so it actually worked).
BRIEF EXPLAINATION OF SOURCE:
Mad Computer Scientist
fscked.org evil labs
More information about the tor-dev