Mike Perry's FoxyProxy concerns with Tor

Mike Perry mikepery at fscked.org
Fri May 12 21:10:02 UTC 2006 

Thus spake Eric H. Jung (eric.jung at yahoo.com):

> > I wanted to reply to this thread but long ago deleted it:
> > http://archives.seul.org/or/talk/Apr-2006/msg00130.html
> > 
> > To anyone concerned about the possibility of privacy leaks by using
> > FoxyProxy with Tor, I'd like your feedback about this:
> > 
> > Someone suggested an idea which might alleviate these (see
> > http://s9.invisionfree.com/foxyproxy/index.php?showtopic=18)
> > 
> > To summarize: what if each configured proxy had its own set of
> > cookies?
> > As you switch (manually of automatically) between proxies, the
> > relevent
> > cookie set is used. Each cookie set would be stored in its own silo,
> > preventing the need for clearing of cookies and also preventing
> > "cross-over"; that is, cookies written when proxy "x" was in use
> > could
> > not be read when proxy "y" is in use.
>
> Nevermind. I forgot about URL parameters.

So in the process of my composing this email it seems ganba has posted
pretty much the same thing in that forum post, but what the hell.
 
URLs should be viewed as being a seperate problem from cookies. I like
this cookie solution a lot, esp if it is easy to edit/purge the
cookies for each proxy seperately. The solution becomes truly awesome
if you are able to define collections of cookies as selectable "nyms"
under each proxy, but I could see the interface for this becoming
confusing.

URLs however should be rigged so as to load in the current proxy for
that page, be they frames, css, js, image links, flash objects, java, ftp,
gopher, or just plain http links that the user clicked on. This
corresponds to the "page action problem" ganba mentions. The problem
extends to the loading of multiple pages concurrently under two
different proxy rules. You need to make sure there are no concurrency
problems with either URLs or cookies.

Again, so long as encoded URLs are loaded with the same proxy settings
as the parent page, I believe that the URL problem is solved (even if
they do happen to encode cookie values).

I (and I'm sure many others too) am really glad you are working on
these problems. I think it is a very important practical step towards
real privacy on the web for the average user. A big thank you from
those of us who wish they had the time to offer to help!

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

More information about the tor-talk mailing list