[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Olivier Cornu o.cornu at riseup.net
Tue Jan 21 11:38:45 UTC 2014


Le 21/01/2014 11:30, Yuri a écrit :
> 
> I just tried stock Firefox 26.0 version, and it doesn't allow loopback
> access (FreeBSD version). I don't have firewall. So it must be an issue
> with the earlier FF, or maybe with TBB modifications to it.
> Chrome-31 is also free of this problem.

Loopback (and LAN I bet) is accessible with TBB, FF and Chromium on
Linux (Ubuntu). Platform specific behaviors?

Anyway, the more I think about it, the more I see this as a TBB bug: TBB
is leaking non-Tor connections on client LAN.
As I understand it, current behavior is too clever and too liberal:
instead of allowing non-Tor connections to LAN hosts, supposedly because
they are safe, it should block them as a default.

--
Olivier



More information about the tor-talk mailing list