A warning to proxy writers
Chris Palmer
chris at eff.org
Wed Apr 20 23:15:56 UTC 2005
Adam Langley writes:
> http://www.imperialviolet.org/browser-information.html
What are some means of reducing this problem?
* A tweaked JavaScript implementation that responds with different
information
* A JavaScript information that is more configurable (configuration is
bad, though)
* Disable JavaScript completely; or make JavaScript act like pop-up
window control does in Firefox: "This page tried to use JavaScript.
Click here to allow this..."
* ...
> Next, any embeds in the HTML can trigger plugins which have their own
> proxy settings. Realmedia objects will almost certainly start a
> connection to the given server, Flash I don't know about, but I would
> guess so. Flash objects can also be used to store cookies which aren't
> handled via Cookie headers nor the browser.
>
> If the user doesn't have every protocol proxyied then an image link to
> https:// or ftp:// etc could cause a non-Tor connection.
Ugg, yes. This reminds me that John Gilmore has been talking about a
firewall setup that automatically routes TCP circuits through the local
Tor client before they are allowed out of the machine. Getting this to
work cross-platform would be "fun" (write a firewall config for all
major platforms that somehow does not interfere with any other
pre-existing firewall configuration...). The upshot would be that you
wouldn't have to configure *any* application to use Tor; it just would.
--
http://www.eff.org/about/staff/#chris_palmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050420/12d9b946/attachment.pgp>
More information about the tor-talk
mailing list