[tor-bugs] #1999 [Torbutton]: 1.3.x: Tor URL support may allow attacks on Torbutton
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Feb 10 02:12:36 UTC 2011
#1999: 1.3.x: Tor URL support may allow attacks on Torbutton
------------------------+---------------------------------------------------
Reporter: rransom | Owner: koryk
Type: defect | Status: assigned
Priority: major | Milestone: Torbutton: 1.3
Component: Torbutton | Version: Torbutton: 1.3
Keywords: | Parent:
Points: | Actualpointsdone:
Pointsdone: | Actualpoints:
------------------------+---------------------------------------------------
Changes (by mikeperry):
* priority: normal => major
Comment:
I'm not sure if we can possibly actually fix this attack and others
easily. Kory spent a lot of time trying to see if he could observe the URL
bar's contents upon receipt of a tor:// protocol request. IIRC, Race
conditions in the Firefox APIs prevented him from doing this.
This makes me think this feature should be relegated to off-by-default
status, and that this should be considered the 'fix' for this ticket. We
should then create an enhancement ticket for "Make tor:// urls safe",
assign it a Points value of 'Infinite', and cross our fingers waiting for
a magical API update that will never come.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1999#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list