[tor-dev] Improving Private Browsing Mode/Tor Browser

Mike Perry mikeperry at fscked.org
Thu Jun 23 18:19:45 UTC 2011 

Thus spake Mike Perry (mikeperry at fscked.org):

> Thus spake Robert Ransom (rransom.8774 at gmail.com):
> 
> > On Thu, 23 Jun 2011 10:10:35 -0700
> > Mike Perry <mikeperry at fscked.org> wrote:
> > 
> > > Thus spake Georg Koppen (g.koppen at jondos.de):
> > > 
> > > > > If you maintain two long sessions within the same Tor Browser Bundle
> > > > > instance, you're screwed -- not because the exit nodes might be
> > > > > watching you, but because the web sites' logs can be correlated, and
> > > > > the *sequence* of exit nodes that your Tor client chose is very likely
> > > > > to be unique.
> > > 
> > > I'm actually not sure I get what Robert meant by this statement. In
> > > the absence of linked identifiers, the sequence of exit nodes should
> > > not be visible to the adversary. It may be unique, but what allows the
> > > adversary to link it to actually track the user? Reducing the
> > > linkability that allows the adversary to track this sequence is what
> > > the blog post is about...
> > 
> > By session, I meant a sequence of browsing actions that one web site
> > can link.  (For example, a session in which the user is authenticated
> > to a web application.)  If the user performs two or more distinct
> > sessions within the same TBB instance, the browsing actions within
> > those sessions will use very similar sequences of exit nodes.
> > 
> > The issue is that two different sites can use the sequences of exit
> > nodes to link a session on one site with a concurrent session on
> > another.
> 
> Woah, we're in the hinterlands, tread carefully :).
>
> I still think Tor should just do this, though. Every app should be
> made unlinkable by a simple policy there by default, and we should
> just rate limit it if it gets to intense (similar to NEWNYM rate
> limiting).

Arg. The demons in my head just told me that there exists a stupid
mashup web-app out there just waiting to ruin our day if we do this in
Tor without browser interaction. The demons tell me at least one
stupid banking or shopping-cart site checks to make sure both the IP
address and the cookies match for all pieces of the app to work
together across domains. I think the demons are right. I think this is
why we created TrackHostExits, but the demons just laugh and tell me
that the hosts are not the same in this case.

So perhaps Torbutton controlled per-tab proxy username+password is the
best option? Oh man am I dreading doing that... (The demons laugh
again.)


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110623/a5cbaadd/attachment-0001.pgp>

More information about the tor-dev mailing list