Torbutton Documentation - Adversary Capabilities.
Mike Perry
mikeperry at fscked.org
Thu Jul 15 07:21:07 UTC 2010
Thus spake Matthew (pumpkin at cotse.net):
> So to go back to the OP's question (my question)....what do people think
> of my questions about JavaScript being able to obtain non-Tor IPs when
> wiping the cache?
If you are also restarting the browser, or closing all windows, you
are probably safe from most direct javascript attack vectors. The main
danger is in leaving pages open after changing proxy settings. Then
direct unmasking is possible. Identifiers can be stored in the page
javascript itself.
However, Javascript still has quite a bit of ability to fingerprint you
based on your desktop resolution, user agent, timezone, any many other
things. Torbutton does a good job of blocking a lot of the
fingerprintable attributes, which make it hard to correlate your
non-tor browser fingerprint to your tor browser fingerprint. More work
still needs to be done here, but we do handle quite a bit of the major
fingerprinting sources.
See also: https://wiki.mozilla.org/Fingerprinting
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100715/2fe85beb/attachment.pgp>
More information about the tor-talk
mailing list