[tor-talk] New HTTP authorization attack

[Mike Perry]

Thus spake tor at lists.grepular.com (tor at lists.grepular.com):

> > For the general TBB solution, see:
> > https://trac.torproject.org/projects/tor/ticket/3508
> > 
> > It is in 1.4.0.
> 
> Neat. I was unaware of the SafeCache addon.
> 
> > As I said in the blog posts, I intend to isolate all browser state to
> > urlbar domain, and/or disable whatever features aren't amenable to
> > this. So far this means that 3rd party cookies must be disabled and DOM
> > storage must be disabled. 
> > 
> > HTTP auth can be isolated similarly to cache. See: 
> > https://trac.torproject.org/projects/tor/ticket/3748
> 
> Would be great if you achieved that.

Depending on how things go, we may or may not isolate HTTP auth to a                                                             
urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for
TBB 2.2.x-stable:
https://trac.torproject.org/projects/tor/ticket/3748

> > SSL certificates are not isolated. They might never be. The SSL stack
> > is a nightmare.
> 
> That's a shame. I'm seeing more and more sites enabling https.

Yes, but I don't think the tracking potential is as high there as it
is for explicit identifiers, except where they can trick the user into
installing a client certificate.

If the adversary does trick the user to install weird certificates,
these are only stored in memory in TBB, and will be gone after a
browser restart.

So it is not as bad as cache, cookies, DOM storage, and auth.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110823/96d56dd8/attachment.pgp>