[tor-bugs] #10419 [Firefox Patch Issues]: Can requests to be used to fingerprint the browser?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jan 24 14:04:01 UTC 2014
#10419: Can requests to be used to fingerprint the browser?
Reporter: mikeperry | Owner: mikeperry
Type: task | Status: needs_review
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-pref, MikePerry201401R
Actual Points: | Parent ID:
Points: |
Comment (by oc):
To further develop the above proposal, we have two class of traffic: Tor
(WAN) and non-Tor (lo/LAN). Tor anonymity mandates that we burn all
bridges between these two worlds, otherwise we cannot protect users from
fingerprinting or other information leakage -- intentional or not.
When using TBB to browse non-Tor resources (lo/LAN), that is as a regular
browser, we may not need to enforce anything a regular browser wouldn't:
if we block such traffic, users will switch to a regular browser and leak
all the same anyway. It thus seems we could allow "standard" non-Tor
traffic and live with lo->LAN access.
Safety issue with LAN->lo access should probably be fixed upstream as Yuri
advocates: with a general browser-level ban on wider-to-narrower traffic.
This is not going to happen any time soon: Chrome devs argue
[https://code.google.com/p/chromium/issues/detail?id=336371#c2 updated W3C
specs] would be required first; FF devs seem
[https://bugzilla.mozilla.org/show_bug.cgi?id=962017#c1 happy with CORS]
only, probably for the same reason. In the meantime, TBB could use default
ABE rules to enforce it anyway.
# Block wider-to-narrower access to loopback
Accept from
# Isolate Tor vs non-Tor domains
# Block WAN -> LAN/lo
Accept from LOCAL
# Block LAN/lo -> WAN
Site ALL
Deny from LOCAL
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10419#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list