[tor-talk] New HTTP authorization attack

Mike Perry mikeperry at fscked.org
Tue Aug 23 04:56:37 UTC 2011


Thus spake tor at lists.grepular.com (tor at lists.grepular.com):

> On 22/08/11 20:08, stringer at hushmail.me wrote:
> 
> > "The JonDoFox research team has uncovered a new attack on web 
> > browsers: Affected are the web browsers Firefox, Chrome and Safari. 
> > By a hidden call over of a URL with HTTP authentication data, third 
> > party sites could track a user over several web sites, even if the 
> > user blocks all cookies and other tracking procedures. For doing 
> > this, it is sufficient to include a simple CSS file:
> > <link rel="stylesheet" type="text/css" 
> > "http://Session:638431048@ipcheck.info/auth.css.php">
> 
> FWIW, there are many ways to track a browser cross-site and across
> restarts, even if you have javascript and cookies and flash cookies
> disabled. I recently blogged about a bunch of them which abuse the
> browser cache here:
> 
> https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache

None of this is news.

FYI, Torbutton traditionally handled both HTTP auth and cache through
the toggle feature. I've since realized that the toggle model was
broken, and we've been trying to supplant it in the 2.2.x Tor Browser
Bundles:

https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton
https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

Our first defense for TBB users is the "New Identity" feature, which
will appear in 1.4.1 of Torbutton*:
https://trac.torproject.org/projects/tor/ticket/523

Depending on how things go, we may or may not isolate HTTP auth to a
urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for TBB
2.2.x-stable:
https://trac.torproject.org/projects/tor/ticket/3748


* "New Identity" will only work on Tor Browser Bundles.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110822/a0b93f68/attachment.pgp>


More information about the tor-talk mailing list