[tor-talk] New HTTP authorization attack

Mike Perry mikeperry at fscked.org
Tue Aug 23 15:23:55 UTC 2011 

Thus spake tor at lists.grepular.com (tor at lists.grepular.com):

> On 23/08/11 05:56, Mike Perry wrote:
> 
> >> FWIW, there are many ways to track a browser cross-site and across
> >> restarts, even if you have javascript and cookies and flash cookies
> >> disabled. I recently blogged about a bunch of them which abuse the
> >> browser cache here:
> >>
> >> https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
> > 
> > None of this is news.
> > 
> > FYI, Torbutton traditionally handled both HTTP auth and cache through
> > the toggle feature. I've since realized that the toggle model was
> > broken, and we've been trying to supplant it in the 2.2.x Tor Browser
> > Bundles:
> 
> If you read the article, you'll see that clearing the cache on toggle
> isn't enough. The cache should be completely disabled. If not, you could
> visit sitea.com, then visit siteb.com, and they could easily figure out
> that you're the same person. Even if you're coming from a different Tor
> exit node, even if you clear cookies inbetween. That is unless you have
> the patience to only visit one site at a time, and toggle off/on between
> each different site visit.

Did I mention I don't like the toggle model? I thought I did :)

I guess you could also argue that "New Identity" is a toggle-ish
solution.

For the general TBB solution, see:
https://trac.torproject.org/projects/tor/ticket/3508

It is in 1.4.0.

As I said in the blog posts, I intend to isolate all browser state to
urlbar domain, and/or disable whatever features aren't amenable to
this. So far this means that 3rd party cookies must be disabled and DOM
storage must be disabled. 

HTTP auth can be isolated similarly to cache. See: 
https://trac.torproject.org/projects/tor/ticket/3748

SSL certificates are not isolated. They might never be. The SSL stack
is a nightmare.


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110823/f6006910/attachment.pgp>

More information about the tor-talk mailing list