[tbb-bugs] #16856 [Tor Browser]: 'network.http.speculative-parallel-limit' default setting provides tracking-risk
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 19 12:51:54 UTC 2015
#16856: 'network.http.speculative-parallel-limit' default setting provides
tracking-risk
---------------------------+-----------------------------------------------
Reporter: RickGeex_ | Owner: tbb-team
Type: defect | Status: new
Priority: major | Milestone: TorBrowserBundle 2.3.x-stable
Component: Tor Browser | Version: Tor: unspecified
Keywords: tor, | Actual Points:
tracking, default | Points:
Parent ID: |
---------------------------+-----------------------------------------------
'network.http.speculative-parallel-limit' default setting provides
tracking-risk
(thanks to Yuri Khan for the original scenario - 2015-08-14 22:33:56 PDT)
Potential tracking scenario:
* '''Attacker''' sends an e-mail to the '''Victim''' with a text around a
URL
* '''Victim''' leaves the cursor in the area of the text
* Tor Browser '''speculatively''' connects to the destination '''URL'''
in the email
* the Attacker logs this '''attempts''' and '''assigns''' the exit-node
''IP-address'' to the '''Victims''' ''email address''
The result is that the exit-node's ''IP-address'' can be '''linked''' with
the '''e-mail address''' of the targetted '''victim'''. Which (in case of
'''seizing''' a ''exit-node'') can result in '''de-anonimizing''' the un-
aware '''user''' behind it.
This is exploitable in the Tor browser because the '''default''' value of
the pre-connections API ('network.http.speculative-parallel-limit') is
'''6'''
A fix to mitigate this problem is to set 'network.http.speculative-
parallel-limit' to '''0''' by '''default'''.
'''References'''
* '''https://bugzilla.mozilla.org/show_bug.cgi?id=814169'''
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16856>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list