Firefox through Tor
mikepery at fscked.org
Thu Apr 27 19:20:18 UTC 2006
Thus spake eric.jung at yahoo.com (eric.jung at yahoo.com):
> >identifiers can be handed to the ad sites that will associate the
> >torrified email account access with the non-torrified ad server
> True, but I don't see how this is a result of FoxyProxy. IOW, doesn't
> this problem exist when using Tor exclusively without FoxyProxy?
> >Does XPCOM allow you to solve this problem somehow?
> I'm not sure I fully understand the problem yet (please elaborate),
So the problem is that a motivated adversary can subpoena or simply
ask DoubleClick to hand over their IP/cookie logs. If you are using
Tor for /everything/, then what they get from DoubleClick for that
email address is just a Tor IP, no harm no foul. However, if the user
had set up a filter that only sends *yahoo.com through Tor, then
DoubleClick will have their /real IP/ on file in association with
whatever unique ID yahoo passed for that email address, even though
yahoo's records show only the Tor IP.
See the problem?
> but if you're asking whether XPCOM allows one to use a proxy on/off
> based on a page and all its components (images, css files, js files), the
> answer is yes.
Yes, excellent. That is the property that is needed. If you use that
level of control, you are fine.
Incidentally, the problem above can happen with ftp://, gopher:// and
whatever other protocol the browser might accept, so make sure you are
updating all proxy settings for each page.
Mad Computer Scientist
fscked.org evil labs
More information about the tor-talk