A warning to proxy writers

Chris Palmer chris at eff.org
Wed Apr 20 23:15:56 UTC 2005


Adam Langley writes:

> http://www.imperialviolet.org/browser-information.html

What are some means of reducing this problem?

* A tweaked JavaScript implementation that responds with different 
  information
* A JavaScript information that is more configurable (configuration is 
  bad, though)
* Disable JavaScript completely; or make JavaScript act like pop-up 
  window control does in Firefox: "This page tried to use JavaScript. 
  Click here to allow this..."
* ...

> Next, any embeds in the HTML can trigger plugins which have their own
> proxy settings. Realmedia objects will almost certainly start a
> connection to the given server, Flash I don't know about, but I would
> guess so. Flash objects can also be used to store cookies which aren't
> handled via Cookie headers nor the browser.
> 
> If the user doesn't have every protocol proxyied then an image link to
> https:// or ftp:// etc could cause a non-Tor connection.

Ugg, yes. This reminds me that John Gilmore has been talking about a
firewall setup that automatically routes TCP circuits through the local
Tor client before they are allowed out of the machine. Getting this to
work cross-platform would be "fun" (write a firewall config for all
major platforms that somehow does not interfere with any other
pre-existing firewall configuration...). The upshot would be that you 
wouldn't have to configure *any* application to use Tor; it just would.


-- 
http://www.eff.org/about/staff/#chris_palmer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050420/12d9b946/attachment.pgp>


More information about the tor-talk mailing list