[tor-talk] New HTTP authorization attack
tor at lists.grepular.com
tor at lists.grepular.com
Tue Aug 23 08:29:45 UTC 2011
On 23/08/11 05:56, Mike Perry wrote:
>> FWIW, there are many ways to track a browser cross-site and across
>> restarts, even if you have javascript and cookies and flash cookies
>> disabled. I recently blogged about a bunch of them which abuse the
>> browser cache here:
>>
>> https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
>
> None of this is news.
>
> FYI, Torbutton traditionally handled both HTTP auth and cache through
> the toggle feature. I've since realized that the toggle model was
> broken, and we've been trying to supplant it in the 2.2.x Tor Browser
> Bundles:
If you read the article, you'll see that clearing the cache on toggle
isn't enough. The cache should be completely disabled. If not, you could
visit sitea.com, then visit siteb.com, and they could easily figure out
that you're the same person. Even if you're coming from a different Tor
exit node, even if you clear cookies inbetween. That is unless you have
the patience to only visit one site at a time, and toggle off/on between
each different site visit.
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110823/1c318f27/attachment-0001.pgp>
More information about the tor-talk
mailing list