[tor-bugs] #2640 [Torbutton]: Make tor:// urls safe
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Mar 1 08:20:54 UTC 2011
#2640: Make tor:// urls safe
-------------------------+--------------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Torbutton | Version:
Keywords: | Parent:
Points: Infinite | Actualpoints:
-------------------------+--------------------------------------------------
tor:// urls are not safe. It is currently possible to cause Torbutton to
recognize any arbitrary content element with tor:// url and ask the user
if they want to toggle into tor. There appears to be no way to use the
Firefox APIs to determine if such a load was actually due to the url bar.
The Protocol handlers that listen for tor:// are actually called before
any listeners involving the url bar are called, and accessing the url bar
itself appears to return the previous URL, at least in FF 3.x.
By default, Torbutton still asks the user if they want to toggle, but even
this question can be used as a timing attack to determine that Torbutton
is installed, which violates our security requirements:
https://www.torproject.org/torbutton/en/design/#requirements
Credit to discovering this goes to "egypt" of the metasploit team:
https://twitter.com/egyp7/status/26023995288
Until either the APIs improve, or we find a side channel inside Firefox
that allows us to fix this and observe the URL bar contents and block non-
urlbar requests automatically, we need to leave tor:// urls off by
default.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2640>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list