Firefox ctrl-shift-del vs. Torbutton

Robert Ransom rransom.8774 at gmail.com
Fri Oct 29 03:55:20 UTC 2010 

On Thu, 28 Oct 2010 20:57:24 -0400
grarpamp <grarpamp at gmail.com> wrote:

> For the users who have checked all the c-s-d checkboxes and reviewed
> all the firefox.edit.preferences pages...
> 
> For any given phase/method of browsing/usage, does torbutton clear
> any additional state beyond what c-s-d clears?

Torbutton clears TLS session resumption information out of the browser,
which is not listed in the ‘Clear Recent History...’ dialog, when the
user toggles between Tor and non-Tor browsing:


On Wed, 27 Oct 2010 16:41:57 -0700
Mike Perry <mikeperry at fscked.org> wrote:

> Thus spake Seth David Schoen (schoen at eff.org):
> 
> > > Hi,
> > > I don't understand, too and in my opinion, this is utter nonsense. I'm
> > > not aware of any negative impacts on privacy due to the usage of
> > > https://,
> > 
> > Session resumption can be used to recognize an individual browser
> > that connects from different IP addresses, or even over Tor.  This
> > kind of recognition can be perfect because the resumption involves
> > a session key which is large, random, and could not legitimately
> > have been known to any other browser. :-(
> 
> This is not true if the user is using Torbutton. See the paragraph
> about security.enable_ssl2 in:
> https://www.torproject.org/torbutton/en/design/#browseroverlay
> 
> This hack causes us to clear all TLS session ID and resumption state.
> It's bloody, but it works. Firefox has also created an official API
> for us to do this the "right" way that we will begin using in 1.2.6:
> https://trac.torproject.org/projects/tor/ticket/1624





> Particularly with regard to transmittable data [whether remotely or
> locally generated], as opposed to non-transmittable data that is merely
> cached such as images, etc.

The cache can be used to store pieces of HTML, CSS, and JavaScript
containing unique identifiers, which can then be transmitted back to a
server in various ways (even without JavaScript).


Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101028/1075ab84/attachment.pgp>

More information about the tor-talk mailing list