Firefox through Tor

Mike Perry mikepery at fscked.org
Sat Apr 29 03:48:42 UTC 2006


Thus spake Eric H. Jung (eric.jung at yahoo.com):

> Hello Michaels,
> 
> I apologize for the delayed reply. Please don't interpret the delay as
> a lack of interest--it surely isn't.
> 
> Quoting Mike Perry:
> >Just clearing cookies every time there is a switch is not enough if
> >there is an automatic Tor filter in place.
> 
> >The problem is that yahoo can custom-generate its links to DoubleClick
> >so they encode your email address (dunno if they do do this, but I'm
> >sure some sites and ad parters do). Therefore identifiying information
> >is sent independent of the cookie."
> 
> I hope you'll both agree there's nothing FoxyProxy can do about this.
> Unless you have a striking relevation which could solve the problem
> programmatically, I'm just going to add this to the FoxyProxy FAQ as a
> "be careful" warning in an attempt to educate.

Depending on the flexibility of XPCOM, it should be possible to solve
this problem programatically (but it is error-prone).

I probably should summarize everything from this thread again just so
you have it all in one place:

The way to solve the problem is to make sure that all embedded object
links are in fact loaded through the active proxy for the parent
tab/page. This includes frames, iframes, css, js, images, java, flash,
and other misc plugin objects. Probably some other stuff too.

So long as the 'evil' link-object is loaded through Tor, the problem
is solved. The assumption is that the information encoded in the
link isn't compromising by itself, but that the danger is that the
browser will autoload the link in the clear and thus your real IP will
be in that server's logs associating you with your Torrified email
account.

Also, because of accidental clicks, phishing attacks, and referrer
urls, user followed links should also be protected. Pretty much
anything the user follows from a protected, proxied page should
inherit that page's proxy settings (including links followed by
opening them in a new tab/window).

Lastly, as Michael pointed out, you have to clear all cookies
everytime a proxy switch is done (mega bonus points for a mechanism to
protect certain cookies from deletion a-la
http://cookieculler.mozdev.org/). If you do not do this, a cookie
accessed from an ad banner displayed while you are visiting a site in
the clear can be transmitted again when you access your email account
through Tor, thus ruining your pseudonymity against an adversary with
access to the ad server's data (assume everyone). The reverse is also
possible, so cookies have to be cleared in each direction of the
switch.

Even with all these countermeasures, the type of filter where you
specify only untrusted/Tor sites is error prone and should carry heavy
warnings for people who truly need anonymity, and needs to be tested
heavily by vigilant people with a wide variety of usage habits.

I do think that it should be possible to build such a filter though.
And it would be very very nice to have.

> I forgot to mention that if a URL doesn't match any patterns defined
> in FoxyProxy, FoxyProxy *does not* default to a direct
> connection. Instead, it defaults to the whatever proxy
> (if any) has been defined in Firefox's Connection Settings.                                                  
>                                                                          
> By defining Tor as the proxy in Firefox's Connection Settings, Tor
> is used as a "catch-all" for non-matches.
>                                                                               
> I'll shortly be adding blacklist capability to FoxyProxy (it already
> has whitelist ability). That, in conjunction, with the above
> "catch-all", should provide enough ingredients to come up with some
> safe recipe for some of the problems both of you describe, no?      

Yes, inverting the filter so that you list only sites that you trust
to connect to in the clear is a much safer option (and much easier to
implement!), but my guess is that it will be much less popular than
the ability to specify the sites you only want to visit through Tor
(ie gmail/yahoo/.onion). There in lies the dillemma.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs



More information about the tor-talk mailing list