Securing teh Intarwebs (Ultimate Solution ;)

Mike Perry mikepery at fscked.org
Sun Apr 1 00:21:35 UTC 2007


Thus spake Mike Perry (mikepery at fscked.org):

> 1. It turns off browser plugins when you click a button in the statusbar,
>    and also whenever Tor is on.
> 
> 2. It clears your cookies whenever you toggle tor.
> 
> 3. It hooks "dangerous" javascript functions, including:
>    A. The Date() object, which can reveal your timezone
>    B. document.getElement* which can be used to probe CSS attributes
>       to see if you have visited certain sites or issued certain
>       google queries: http://gemal.dk/browserspy/css.html
>    C. navigator.oscpu and navigator.platform, two OS revealing strings
>       not managed by UserAgentSwitcher.
> 
> 4. It can optionally clear history whenever tor is toggled
>    (unfortunately saving non-tor history is not possible yet. Firefox
>     DOES have an API to do this, but it is "not implemented").

> KNOWN ISSUES (AKA HELP PLZ!):
> 
> This extension has been tested to work on FF2.0 and FF1.5. FF1.5
> unfortunately lacks a sane TabOpen event, so plugins are not properly
> disabled for new tabs when they open. FF2.0 seems ok.
> 
> I tried the code snippets for FF1.5 for this from
> http://developer.mozilla.org/en/docs/Code_snippets:Tabbed_browser
> but I was unable to get it to deliver events just for a tab, and I
> eventually gave up. I am not planning on suppoting FF1.5 ever. If you
> like FF1.5, please submit a patch. It's possible I was just doing
> something dumb. I did only learn javascript 5 days ago :)
> 
> It might also be nice if someone changed that "J" graphic to a "P" for
> plugins, and also made a button for toggling the javascript.enabled
> pref (and hooked it up so it actually worked).

UNKNOWN ISSUES (AKA HELP PLZ!):

If there are any javascript gurus on the list (or if anyone has the
time to do the research to become one, it doesn't take that long and
is the path to Real Ultimate Power ;), we need to consider if there
are any other javascript issues that we should be concerned about. 

Researching techniques on http://gemal.dk/browserspy/ is a good place
to start. http://en.wikipedia.org/wiki/XMLHttpRequest and
http://developer.mozilla.org/en/docs/Gecko_DOM_Reference can't hurt
either.

Obviosuly all sorts of AJAX/XMLHttpRequest stuff can be done by exit
nodes to steal your sessions and such, but they can do that with plain
old cookies anyways. Presumably for anything that matters, you either
use https, disable js, or don't use that site.

Interestingly enough, Tor DOES protect you from JS doing crazy things
like reconfiguring your router and portscanning your intranet (yes,
this CAN be done), since JS will always use proxy settings (modulo
browser vulnerabilities). So hey, we can claim we do in fact provide
some added security! ;)



-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs



More information about the tor-talk mailing list