Securing teh Intarwebs (Ultimate Solution ;)

Mike Perry mikepery at fscked.org
Sat Mar 31 23:04:33 UTC 2007


So I've spent the last week burried in javascript, xml, xbl, and
something pronounced "Zool". I seem to have survived, but it is quite
possible I may turn into a fire breathing demondog at any moment. Hail
Gozer.

The result of this mad vision quest is a new and improved Torbutton.
Based off of TorButton 1.0.4, it has the following additional features:

1. It turns off browser plugins when you click a button in the statusbar,
   and also whenever Tor is on.

2. It clears your cookies whenever you toggle tor.

3. It hooks "dangerous" javascript functions, including:
   A. The Date() object, which can reveal your timezone
   B. document.getElement* which can be used to probe CSS attributes
      to see if you have visited certain sites or issued certain
      google queries: http://gemal.dk/browserspy/css.html
   C. navigator.oscpu and navigator.platform, two OS revealing strings
      not managed by UserAgentSwitcher.

4. It can optionally clear history whenever tor is toggled
   (unfortunately saving non-tor history is not possible yet. Firefox
    DOES have an API to do this, but it is "not implemented").


http://fscked.org/proj/minihax/TorButton/TorButton-1.1.0-alpha-dev.xpi

The goal of this extension is to make javascript as safe as it can be
to use over Tor, modulo browser vulerabilities (which the FF people
will actually fix.. They seem to enjoy arbitrary sites being able to
query their history and search keywords, however.. That is a "feature").


ALPHA WARNING:

This is ALPHA software. It desperately needs someone to review it and
to try to break it. Especially the Date hooks. Those are complicated,
and feeding Date various malformed strings to parse may cause it to
generate a time with an offset from the actual time that reveals your
timezone, among other issues. I tried my best to guard against these
types of issues, but it could really use another pair of eyes. Or
several.

Additionally, it would be nice if someone could verify that popups,
iframes, frames, and other crazy gimpy windows properly hook Date()
and disable plugins. I tested iframes and frames briefly, but I did
not test popups.


ABANDONWARE WARNING:

I am not terribly interested in maintaining this extension. Especially
not for the next month or so. However, I will consider fixing serious
bugs involving my hooks of Date(), but likely not in any timely
fashion. If absolutely nothing happens with this after a month, I will
add it to my pile of responsibilities. But I should probably find the
time to pay my utilities first. I'm really hoping Scott will pick up my
changes and continue maintaining this extension.


KNOWN ISSUES (AKA HELP PLZ!):

This extension has been tested to work on FF2.0 and FF1.5. FF1.5
unfortunately lacks a sane TabOpen event, so plugins are not properly
disabled for new tabs when they open. FF2.0 seems ok.

I tried the code snippets for FF1.5 for this from
http://developer.mozilla.org/en/docs/Code_snippets:Tabbed_browser
but I was unable to get it to deliver events just for a tab, and I
eventually gave up. I am not planning on suppoting FF1.5 ever. If you
like FF1.5, please submit a patch. It's possible I was just doing
something dumb. I did only learn javascript 5 days ago :)

It might also be nice if someone changed that "J" graphic to a "P" for
plugins, and also made a button for toggling the javascript.enabled
pref (and hooked it up so it actually worked).


BRIEF EXPLAINATION OF SOURCE:

XPIs are zips of jar files that contain javascript and xml. The jar
files themselves are also zips. The javascript hooking magic is done
in jshooks.js. The plugin toggling and events for javascript are in
torbutton.js.


Good luck!


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs



More information about the tor-talk mailing list