[tor-talk] New HTTP authorization attack
Mike Perry
mikeperry at fscked.org
Tue Aug 23 16:01:00 UTC 2011
Thus spake tor at lists.grepular.com (tor at lists.grepular.com):
> > For the general TBB solution, see:
> > https://trac.torproject.org/projects/tor/ticket/3508
> >
> > It is in 1.4.0.
>
> Neat. I was unaware of the SafeCache addon.
>
> > As I said in the blog posts, I intend to isolate all browser state to
> > urlbar domain, and/or disable whatever features aren't amenable to
> > this. So far this means that 3rd party cookies must be disabled and DOM
> > storage must be disabled.
> >
> > HTTP auth can be isolated similarly to cache. See:
> > https://trac.torproject.org/projects/tor/ticket/3748
>
> Would be great if you achieved that.
Depending on how things go, we may or may not isolate HTTP auth to a
urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for
TBB 2.2.x-stable:
https://trac.torproject.org/projects/tor/ticket/3748
> > SSL certificates are not isolated. They might never be. The SSL stack
> > is a nightmare.
>
> That's a shame. I'm seeing more and more sites enabling https.
Yes, but I don't think the tracking potential is as high there as it
is for explicit identifiers, except where they can trick the user into
installing a client certificate.
If the adversary does trick the user to install weird certificates,
these are only stored in memory in TBB, and will be gone after a
browser restart.
So it is not as bad as cache, cookies, DOM storage, and auth.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110823/96d56dd8/attachment.pgp>
More information about the tor-talk
mailing list